<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi List,<br>
<br>
I have a Debian Squeeze server with SELinux enabled on it and I've
got some strange behaviour when I try to use <i>mdadm</i> with it.
SELinux seems to block access to /sbin/mdadm for sysadm_u (sysadm_r)
users:<br>
<br>
root@eros:~# id -Z<br>
sysadm_u:sysadm_r:sysadm_t:s0<br>
root@eros:~# getenforce <br>
Enforcing<br>
root@eros:~# mdadm<br>
-su: /sbin/mdadm: Permission denied<br>
root@eros:~# ls -Z /sbin/mdadm<br>
system_u:object_r:mdadm_exec_t:s0 /sbin/mdadm<br>
root@eros:~# <br>
<br>
<br>
Error reported in /var/log/audit/audit.log is:<br>
<br>
type=SELINUX_ERR msg=audit(1326905111.640:60):
security_compute_sid: invalid context sysadm_u:system_r:mdadm_t:s0
for scontext=sysadm_u:sysadm_r:sysadm_t:s0
tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=process<br>
type=SYSCALL msg=audit(1326905111.640:60): arch=c000003e syscall=59
success=no exit=-13 a0=28afde8 a1=28e1f48 a2=2854008 a3=0 items=0
ppid=2033 pid=2093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash"
exe="/bin/bash" subj=sysadm_u:sysadm_r:sysadm_t:s0 key=(null)<br>
<br>
<br>
I tried to change my user mapping, same result and error message:<br>
<br>
bozhin@eros:~$ id -Z<br>
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023<br>
bozhin@eros:~$ su -<br>
Password: <br>
root@eros:~# id -Z<br>
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023<br>
root@eros:~# mdadm<br>
-su: /sbin/mdadm: Permission denied<br>
<br>
<br>
As far as I know sysadm_u (or staff_u with sysadm_r) should be used
to administer a SELinux system. However the above problem may render
a server unbootable in case there is software raid configured and
kernel security updates are installed - in this case SELinux may
prevent <i>update-grub</i> to build correct bootable configuration
for the new kernel. Update-grub just prints an error message about
boot/root/whatever device on /dev/md{0,1,2,...} and then continues
as usual, but this message can be easily ignored or overlooked (I
ignored it, looked like a warning message to me). This is either a
severe bug in SELinux policy or me not knowing how to administer my
shiny new SELinux servers :)<br>
<br>
Can someone comment on this problem?<br>
<br>
Bozhin<br>
</body>
</html>