Dear Daniel,
BTW This will be fixed in the RHEL6.4 version of policy.
is new policy already available in rhel6.4?
On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/12/2013 07:35 AM, Ilyas -- wrote:
Hello,
I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter).
Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process.
[root@srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
[root@srv-1.home ~]# ps axwZ | grep smart[d] system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd -q never
When I restarts smartd next messages appears in audit.log: [root@srv-1.home ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
I tried to create SELinux policy using audit2allow: [root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
Thank you.
BTW This will be fixed in the RHEL6.4 version of policy.
Now if people would just pay for subscriptions...
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD0QU0ACgkQrlYvE4MpobOOMACfQaJuZn+FZ9RQarjU8r8x0cdK ch8AoJ1f/srOEgu6dTDKP2m8ow6mQ8ER =cCad -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos