[DSE-User] security_compute_sid error for mdadm
Bozhin Zafirov
bozhin.zafirov at ebl.bg
Wed Jan 18 17:16:19 UTC 2012
Hi List,
I have a Debian Squeeze server with SELinux enabled on it and I've got
some strange behaviour when I try to use /mdadm/ with it. SELinux seems
to block access to /sbin/mdadm for sysadm_u (sysadm_r) users:
root at eros:~# id -Z
sysadm_u:sysadm_r:sysadm_t:s0
root at eros:~# getenforce
Enforcing
root at eros:~# mdadm
-su: /sbin/mdadm: Permission denied
root at eros:~# ls -Z /sbin/mdadm
system_u:object_r:mdadm_exec_t:s0 /sbin/mdadm
root at eros:~#
Error reported in /var/log/audit/audit.log is:
type=SELINUX_ERR msg=audit(1326905111.640:60): security_compute_sid:
invalid context sysadm_u:system_r:mdadm_t:s0 for
scontext=sysadm_u:sysadm_r:sysadm_t:s0
tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1326905111.640:60): arch=c000003e syscall=59
success=no exit=-13 a0=28afde8 a1=28e1f48 a2=2854008 a3=0 items=0
ppid=2033 pid=2093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash"
exe="/bin/bash" subj=sysadm_u:sysadm_r:sysadm_t:s0 key=(null)
I tried to change my user mapping, same result and error message:
bozhin at eros:~$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
bozhin at eros:~$ su -
Password:
root at eros:~# id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
root at eros:~# mdadm
-su: /sbin/mdadm: Permission denied
As far as I know sysadm_u (or staff_u with sysadm_r) should be used to
administer a SELinux system. However the above problem may render a
server unbootable in case there is software raid configured and kernel
security updates are installed - in this case SELinux may prevent
/update-grub/ to build correct bootable configuration for the new
kernel. Update-grub just prints an error message about
boot/root/whatever device on /dev/md{0,1,2,...} and then continues as
usual, but this message can be easily ignored or overlooked (I ignored
it, looked like a warning message to me). This is either a severe bug in
SELinux policy or me not knowing how to administer my shiny new SELinux
servers :)
Can someone comment on this problem?
Bozhin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20120118/d12c996d/attachment.html>
More information about the Selinux-user
mailing list