Mode set to permissive:
[root@srv-1.home ~]# cat /tmp/1.log | grep type=AVC type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
audit2why results:
[root@srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2why type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Create loadable module:
[root@srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2allow -M smartd_my ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i smartd_my.pp
Load module:
[root@srv-1.home ~]# semodule -i smartd_my.pp [root@srv-1.home ~]# echo $? 0
Check that module exists in modules list:
[root@srv-1.home ~]# semodule -l | grep smartd smartd_my 1.0
Check that current mode is enforcing:
[root@srv-1.home ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Restart smartd (service smartd restart) and check audit.log again:
[root@srv-1.home tmp]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
audit2why run on last AVCs: [root@srv-1.home tmp]# cat 2.log | audit2why type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
Where my mistake?
On Sun, Jan 13, 2013 at 2:55 AM, Gordon Messmer yinyang@eburg.com wrote:
On 01/12/2013 04:35 AM, Ilyas -- wrote:
[root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
If you need to create your own rules, the first thing you need to do is capture the audit log, and set the system into permissive mode:
tail -f /var/log/audit/audit.log In a new terminal: setenforce permissive
Now, run the process that's generating AVCs. Run through its standard operations. When that's done, use all of the relevant AVCs that you captured through audit2why to make sure that there's not an existing boolean that can be flipped. Assuming there isn't, run them through audit2allow -M.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos