Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1977261 - AVC denial comm="mdadm" name="dma_heap" dev="devtmpfs"
Summary: AVC denial comm="mdadm" name="dma_heap" dev="devtmpfs"
Keywords:
Status: CLOSED DUPLICATE of bug 1966834
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: beta
: 9.0 Beta
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-29 10:42 UTC by Zdenek Veleba
Modified: 2021-06-29 11:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-29 11:03:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Zdenek Veleba 2021-06-29 10:42:48 UTC 
During our testing we found issue with the selinux policy:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-34.1.8-1.el9.noarch
----
time->Tue Jun 29 09:29:24 2021
type=AVC msg=audit(1624973364.249:116): avc:  denied  { search } for  pid=668 comm="mdadm" name="dma_heap" dev="devtmpfs" ino=102 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:dma_device_dir_t:s0 tclass=dir permissive=0
----
time->Tue Jun 29 09:29:24 2021
type=AVC msg=audit(1624973364.249:117): avc:  denied  { getattr } for  pid=668 comm="mdadm" path="/dev/dma_heap" dev="devtmpfs" ino=102 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:dma_device_dir_t:s0 tclass=dir permissive=0
----
time->Tue Jun 29 09:29:25 2021
type=AVC msg=audit(1624973365.130:143): avc:  denied  { search } for  pid=744 comm="mdadm" name="dma_heap" dev="devtmpfs" ino=102 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dma_device_dir_t:s0 tclass=dir permissive=0
----
time->Tue Jun 29 09:29:25 2021
type=AVC msg=audit(1624973365.148:144): avc:  denied  { getattr } for  pid=744 comm="mdadm" path="/dev/dma_heap" dev="devtmpfs" ino=102 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dma_device_dir_t:s0 tclass=dir permissive=0

This happens when running system on RAID1

Installed using ks:
reqpart --add-boot
part swap --fstype="swap" --recommended --label=SWAP
part raid.01 --size=6144
part raid.02 --size=6144
raid / --device=0 --level=RAID1 raid.01 raid.02
bootloader --location=mbr --leavebootorder
clearpart --all --initlabel
keyboard us
lang en_US.UTF-8
rootpw anaconda
selinux --enforcing
timezone America/New_York
zerombr
network --bootproto dhcp
reboot
cmdline

With final storage setup:
NAME    MAJ:MIN RM SIZE RO TYPE  MOUNTPOINTS
vda     253:0    0  10G  0 disk  
|-vda1  253:1    0   1G  0 part  /boot
`-vda2  253:2    0   6G  0 part  
  `-md0   9:0    0   6G  0 raid1 /
vdb     253:16   0  10G  0 disk  
|-vdb1  253:17   0   6G  0 part  
| `-md0   9:0    0   6G  0 raid1 /
`-vdb2  253:18   0   4G  0 part  [SWAP]
vdc     253:32   0  10G  0 disk  
vdd     253:48   0  10G  0 disk  
vde     253:64   0  10G  0 disk  
vdf     253:80   0  10G  0 disk  

Found in version:
RHEL-9.0.0-20210616.0
selinux-policy-34.1.8-1.el9
Comment 2 Zdenek Pytela 2021-06-29 11:03:44 UTC 
Please use the latest selinux-policy package version.

*** This bug has been marked as a duplicate of bug 1965411 ***
Comment 3 Zdenek Pytela 2021-06-29 11:18:37 UTC 

*** This bug has been marked as a duplicate of bug 1966834 ***
Note You need to log in before you can comment on or make changes to this bug.