Cannot execute mdadm when policy is MLS
Environment
- Red Hat Enterprise Linux (RHEL) 7.4
- selinux-policy-mls-3.13.1-166.el7_4.7.noarch
Issue
Command /sbin/mdadm
is not executable by sysadm_t
in our policy. There is an SELINUX_ERR
record in audit.log
:
type=SYSCALL msg=audit(): arch=c000003e syscall=59 success=no exit=-13 a0=1fff930 a1=1ffbee0 a2=2006110 a3=7ffd72116750 items=0 ppid=2877 pid=2893 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(): op=security_compute_sid invalid_context=root:sysadm_r:mdadm_t:s0-s15:c0.c1023 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=process
I do not see a role sysadm_r
types mdadm_t
in our policy.
Resolution
- Update to
selinux-policy-3.13.1-229.el7
shipped with Advisory RHBA-2018:3111 or newer.
Root Cause
- Previously transition from
sysadm
role intomdadm_t
domain wasn't allowed. With the fix execution ofmdadm
command doesn't fail inMLS
policy.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments