Any idea what is causing these AVCs?
time->Wed Dec 16 03:27:02 2015 type=AVC msg=audit(1450265222.013:16754): avc: denied { read } for pid=10738 comm="mdadm" name="RstSataV-193dfefa-a445-4302-99d8-ef3aad1a04c6" dev="efivarfs" ino=1180 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
Hi,
Mdadm tool trying to read file in efivarfs partition. Are you using UEFI secure boot? We have some reported bugs for this issue[1][2]. I would say we should allow this.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1287203 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1276519
Regards, Lukas.
On 12/17/2015 01:32 PM, David Highley wrote:
Any idea what is causing these AVCs?
time->Wed Dec 16 03:27:02 2015 type=AVC msg=audit(1450265222.013:16754): avc: denied { read } for pid=10738 comm="mdadm" name="RstSataV-193dfefa-a445-4302-99d8-ef3aad1a04c6" dev="efivarfs" ino=1180 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
H On Dec 17, 2015 05:55, Lukas Vrabec lvrabec@redhat.com wrote:
Hi,
Mdadm tool trying to read file in efivarfs partition. Are you using UEFI secure boot?
Yes
We have some reported bugs for this issue[1][2]. I would say we should allow this.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1287203 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1276519
I do not know the syntax as audit2allow does not suggest anything for this AVC.
Regards, Lukas.
On 12/17/2015 01:32 PM, David Highley wrote:
Any idea what is causing these AVCs?
time->Wed Dec 16 03:27:02 2015 type=AVC msg=audit(1450265222.013:16754): avc: denied { read } for pid=10738 comm="mdadm" name="RstSataV-193dfefa-a445-4302-99d8-ef3aad1a04c6" dev="efivarfs" ino=1180 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
I added changes. It will be allowed in next versions of selinux-policy package.
On 12/17/2015 03:37 PM, David Highley wrote:
H On Dec 17, 2015 05:55, Lukas Vrabec lvrabec@redhat.com wrote:
Hi,
Mdadm tool trying to read file in efivarfs partition. Are you using UEFI secure boot?
Yes
We have some reported bugs for this issue[1][2]. I would say we should allow this.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1287203 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1276519
I do not know the syntax as audit2allow does not suggest anything for this AVC.
Regards, Lukas.
On 12/17/2015 01:32 PM, David Highley wrote:
Any idea what is causing these AVCs?
time->Wed Dec 16 03:27:02 2015 type=AVC msg=audit(1450265222.013:16754): avc: denied { read } for pid=10738 comm="mdadm" name="RstSataV-193dfefa-a445-4302-99d8-ef3aad1a04c6" dev="efivarfs" ino=1180 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
-- Lukas Vrabec SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
-- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
selinux@lists.fedoraproject.org