http://bugzilla.opensuse.org/show_bug.cgi?id=1202090 Bug ID: 1202090 Summary: [SELinux] mdadm / mdmonitor systemd service not allowed to write env (mdadm_env.sh) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: alexander.wenzel@qbeyond.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The mdmonitor and mdcheck systemd service create a ENV file before starting. --- cut --- EnvironmentFile=-/run/sysconfig/mdadm ExecStartPre=-/usr/lib/mdadm/mdadm_env.sh --- cut --- Due to a bad type transition, the shell script is not allowed to write the ENV file. The script will create a directory "sysconfig" under /var/run [var_run_t] in the context of [unconfined_service_t]. The directory will be labeled with [net_conf_t], which is not accessible by [init_t]. Flow: systemd [init_t] -> executes mdadm_env.sh [init_t] -> mkdir sysconfig [unconfined_service_t] -> echo ENV [init_t] -- denied --- cut --- # sesearch -T -s init_t -t var_run_t | grep net_conf_t type_transition init_t var_run_t:dir net_conf_t cloud-init; # sesearch -T -s unconfined_service_t -t var_run_t | grep net_conf_t type_transition unconfined_service_t var_run_t:dir net_conf_t; --- cut --- Tested with a freshly installed openSUSE Tumbleweed 20220731 in "server" role and SELinux set in permissive mode. --- cut --- # ausearch -m AVC -ts boot -se init_t -c mdadm_env.sh ---- time->Wed Aug 3 09:00:15 2022 type=AVC msg=audit(1659510015.835:162): avc: denied { add_name } for pid=1505 comm="mdadm_env.sh" name="mdadm" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=1 ---- time->Wed Aug 3 09:00:15 2022 type=AVC msg=audit(1659510015.835:163): avc: denied { create } for pid=1505 comm="mdadm_env.sh" name="mdadm" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 ---- time->Wed Aug 3 09:00:15 2022 type=AVC msg=audit(1659510015.835:164): avc: denied { write } for pid=1505 comm="mdadm_env.sh" path="/run/sysconfig/mdadm" dev="tmpfs" ino=1283 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 ---- time->Wed Aug 3 09:00:15 2022 type=AVC msg=audit(1659510015.835:165): avc: denied { append } for pid=1505 comm="mdadm_env.sh" name="mdadm" dev="tmpfs" ino=1283 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 --- cut --- IMHO adding [net_conf_t] to the init policy [init_t] seems not right. Maybe adding mdadm_env.sh to the raid policy [mdadm_exec_t] is a better way to go? As this is an SUSE specific issue, I'm not sure, where to add a patch (selinux policy upstream / obs - policy project). Quickly reproducible with: --- cut --- # runcon system_u:object_r:init_t:s0 mkdir /run/transition_ok # runcon system_u:object_r:init_t:s0 bash -c "mkdir /run/transition_bad" # ls -dlZ /run/transition* --- cut --- To watch transitions, use strace with selinux compiled in. -- You are receiving this mail because: You are on the CC list for the bug.