Cannot execute mdadm when policy is MLS
Environment
- Red Hat Enterprise Linux (RHEL) 7.4
- selinux-policy-mls-3.13.1-166.el7_4.7.noarch
Issue
Command /sbin/mdadm is not executable by sysadm_t in our policy. There is an SELINUX_ERR record in audit.log:
type=SYSCALL msg=audit(): arch=c000003e syscall=59 success=no exit=-13 a0=1fff930 a1=1ffbee0 a2=2006110 a3=7ffd72116750 items=0 ppid=2877 pid=2893 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(): op=security_compute_sid invalid_context=root:sysadm_r:mdadm_t:s0-s15:c0.c1023 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=process
I do not see a role sysadm_r types mdadm_t in our policy.
Resolution
- Update to
selinux-policy-3.13.1-229.el7shipped with Advisory RHBA-2018:3111 or newer.
Root Cause
- Previously transition from
sysadmrole intomdadm_tdomain wasn't allowed. With the fix execution ofmdadmcommand doesn't fail inMLSpolicy.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments