[DSE-User] security_compute_sid error for mdadm

Bozhin Zafirov bozhin.zafirov at ebl.bg
Wed Jan 18 17:16:19 UTC 2012 

Hi List,

I have a Debian Squeeze server with SELinux enabled on it and I've got 
some strange behaviour when I try to use /mdadm/ with it. SELinux seems 
to block access to /sbin/mdadm for sysadm_u (sysadm_r) users:

root at eros:~# id -Z
sysadm_u:sysadm_r:sysadm_t:s0
root at eros:~# getenforce
Enforcing
root at eros:~# mdadm
-su: /sbin/mdadm: Permission denied
root at eros:~# ls -Z /sbin/mdadm
system_u:object_r:mdadm_exec_t:s0 /sbin/mdadm
root at eros:~#


Error reported in /var/log/audit/audit.log is:

type=SELINUX_ERR msg=audit(1326905111.640:60): security_compute_sid:  
invalid context sysadm_u:system_r:mdadm_t:s0 for 
scontext=sysadm_u:sysadm_r:sysadm_t:s0 
tcontext=system_u:object_r:mdadm_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1326905111.640:60): arch=c000003e syscall=59 
success=no exit=-13 a0=28afde8 a1=28e1f48 a2=2854008 a3=0 items=0 
ppid=2033 pid=2093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="bash" 
exe="/bin/bash" subj=sysadm_u:sysadm_r:sysadm_t:s0 key=(null)


I tried to change my user mapping, same result and error message:

bozhin at eros:~$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
bozhin at eros:~$ su -
Password:
root at eros:~# id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
root at eros:~# mdadm
-su: /sbin/mdadm: Permission denied


As far as I know sysadm_u (or staff_u with sysadm_r) should be used to 
administer a SELinux system. However the above problem may render a 
server unbootable in case there is software raid configured and kernel 
security updates are installed - in this case SELinux may prevent 
/update-grub/ to build correct bootable configuration for the new 
kernel. Update-grub just prints an error message about 
boot/root/whatever device on /dev/md{0,1,2,...} and then continues as 
usual, but this message can be easily ignored or overlooked (I ignored 
it, looked like a warning message to me). This is either a severe bug in 
SELinux policy or me not knowing how to administer my shiny new SELinux 
servers :)

Can someone comment on this problem?

Bozhin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-user/attachments/20120118/d12c996d/attachment.html>

More information about the Selinux-user mailing list