975643 – SELinux is preventing /usr/sbin/mdadm from 'ioctl' accesses on the blk_file /dev/md126p1.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 975643 - SELinux is preventing /usr/sbin/mdadm from 'ioctl' accesses on the blk_file /dev/md126p1.

Summary: SELinux is preventing /usr/sbin/mdadm from 'ioctl' accesses on the blk_file /...

Keywords:
Status:	CLOSED DUPLICATE of bug 975495
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:0df3125536922053ddfb3734b8c...
Depends On:
Blocks:	F19-accepted, F19FinalFreezeException
TreeView+	depends on / blocked

Reported:	2013-06-19 02:26 UTC by Adam Williamson
Modified:	2013-06-19 18:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-06-19 18:31:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2013-06-19 02:26:26 UTC

Description of problem:
Doing a live install of F19 Final TC5 Desktop from an litd-written USB stick to an Intel firmware RAID-0 array.
SELinux is preventing /usr/sbin/mdadm from 'ioctl' accesses on the blk_file /dev/md126p1.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow mdadm to have ioctl access on the md126p1 blk_file
Then you need to change the label on /dev/md126p1 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/md126p1'
# restorecon -v '/dev/md126p1'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that mdadm should be allowed ioctl access on the md126p1 blk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mdadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:mdadm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/md126p1 [ blk_file ]
Source                        mdadm
Source Path                   /usr/sbin/mdadm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mdadm-3.2.6-19.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-52.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.9.5-301.fc19.x86_64 #1 SMP Tue
                              Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-06-18 22:24:36 EDT
Last Seen                     2013-06-18 22:24:36 EDT
Local ID                      b0e0447d-ef5f-42bd-b9da-ad61b729c999

Raw Audit Messages
type=AVC msg=audit(1371608676.819:435): avc:  denied  { ioctl } for  pid=2082 comm="mdadm" path="/dev/md126p1" dev="devtmpfs" ino=37046 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file


type=SYSCALL msg=audit(1371608676.819:435): arch=x86_64 syscall=ioctl success=yes exit=0 a0=3 a1=800c0910 a2=7fff8f8bb2e0 a3=7fff8f8bb0a0 items=0 ppid=2058 pid=2082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null)

Hash: mdadm,mdadm_t,device_t,blk_file,ioctl

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Comment 1 Adam Williamson 2013-06-19 02:27:59 UTC

Proposing as a final freeze exception: kinda hits " In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ)", but this will only affect live installs to RAID, I think, so probably doesn't need to be a blocker.

Comment 2 Miroslav Grepl 2013-06-19 06:56:11 UTC

How is the device label now?

# ls -Z /dev/md126p1

# matchpathcon /dev/md126p1

Comment 3 Adam Williamson 2013-06-19 06:57:46 UTC

I can't reproduce this quite at will, it requires re-purposing my main workstation - how badly do you need the information?

Comment 4 Miroslav Grepl 2013-06-19 10:00:38 UTC

Actually we have another bug for this where Dan added fixes for it. So keep it as Modififed until I do a new build/update with the all latest fixes (later today).

Comment 5 Tim Flink 2013-06-19 15:52:41 UTC

How closely is this related to #975495?

Comment 6 Adam Williamson 2013-06-19 18:31:43 UTC

Pretty sure it's the same thing, and what mgrepl referenced in c#4. Let's mark this as a dupe and transfer the FE status.

*** This bug has been marked as a duplicate of bug 975495 ***

Note You need to log in before you can comment on or make changes to this bug.