Cannot execute mdadm when policy is MLS

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7.4
  • selinux-policy-mls-3.13.1-166.el7_4.7.noarch

Issue

Command /sbin/mdadm is not executable by sysadm_t in our policy. There is an SELINUX_ERR record in audit.log:

type=SYSCALL msg=audit(): arch=c000003e syscall=59 success=no exit=-13 a0=1fff930 a1=1ffbee0 a2=2006110 a3=7ffd72116750 items=0 ppid=2877 pid=2893 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="bash" exe="/bin/bash" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(): op=security_compute_sid invalid_context=root:sysadm_r:mdadm_t:s0-s15:c0.c1023 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=process

I do not see a role sysadm_r types mdadm_t in our policy.

Resolution

  • Update to selinux-policy-3.13.1-229.el7 shipped with Advisory RHBA-2018:3111 or newer.

Root Cause

  • Previously transition from sysadm role into mdadm_t domain wasn't allowed. With the fix execution of mdadm command doesn't fail in MLS policy.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.