View Issue Details

IDProjectCategoryView StatusLast Update
0013251CentOS-7selinux-policypublic2019-08-09 09:09
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0013251: SELinux is preventing /usr/sbin/mdadm from 'getattr' accesses on the file /dev/shm/PostgreSQL.1014540122.
DescriptionDescription of problem:
SELinux is preventing /usr/sbin/mdadm from 'getattr' accesses on the file /dev/shm/PostgreSQL.1014540122.

***** Plugin catchall (100. confidence) suggests **************************

If aby mdadm powinno mieć domyślnie getattr dostęp do PostgreSQL.1014540122 file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
allow this access for now by executing:
# ausearch -c 'mdadm' --raw | audit2allow -M my-mdadm
# semodule -i my-mdadm.pp

Additional Information:
Source Context system_u:system_r:mdadm_t:s0-s0:c0.c1023
Target Context system_u:object_r:tmpfs_t:s0
Target Objects /dev/shm/PostgreSQL.1014540122 [ file ]
Source mdadm
Source Path /usr/sbin/mdadm
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.16.1.el7.x86_64 #1 SMP
                              Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64
Alert Count 2
First Seen 2017-05-13 03:28:05 UTC
Last Seen 2017-05-13 03:28:08 UTC
Local ID 39c69958-1825-4839-aba0-a9854e8d9d0c

Raw Audit Messages
type=AVC msg=audit(1494646088.400:27626): avc: denied { getattr } for pid=15112 comm="mdadm" path="/dev/shm/PostgreSQL.1014540122" dev="tmpfs" ino=29231 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file

Hash: mdadm,mdadm_t,tmpfs_t,file,getattr

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.16.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2018-11-14 05:42

reporter   ~0033107

The same will happens accidentally without pgsql.
type=AVC msg=audit(1542162242.583:6901): avc: denied { getattr } for pid=21480 comm="mdadm" path="/dev/shm/ad_401_lsystem_shm" dev="tmpfs" ino=195454676 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file


2019-02-03 14:56

reporter   ~0033762

I am seeing the same issue. The access failure seems to lead to a resync of the metadevice (in my case the root, '/') on which /dev/shm is mounted, which drives up the load on the machine.

I ran the suggested commands to crate a local selinux policy:

ausearch -c 'mdadm' --raw | audit2allow -M my-mdadm
semodule -i my-mdadm.pp

If anything bad happens as a result, I will update here.

/dev/shm is a temporary file system; it's content is in RAM. To access it, I don't think the 'md' driver is invoked. It is probably the case that there is no real need for mdadm to concern itself with /dev/shm and it's contents, but I've been unable to find any kind of switch or configuration option to tell mdadm to ignore /dev/shm.


2019-08-09 09:09

reporter   ~0034939

Another user experienced a similar problem:

trying to install Blacmagicdesign Desktop Video 11.3

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-957.27.2.el7.x86_64
package: selinux-policy-3.13.1-229.el7_6.15.noarch
reason: SELinux is preventing /usr/sbin/mdadm from 'getattr' accesses on the fichier /dev/shm/com_blackmagicdesign_DeckLinkDiscoveryNotifier.
reproducible: Not sure how to reproduce the problem
type: libreport

Issue History

Date Modified Username Field Change
2017-05-13 09:49 gigalamer New Issue
2018-11-14 05:42 TuxHandwerker Note Added: 0033107
2019-02-03 14:56 Clovis_Sangrail Note Added: 0033762
2019-08-09 09:09 stefaz Note Added: 0034939