Hello,
I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter).
Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process.
[root@srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
[root@srv-1.home ~]# ps axwZ | grep smart[d] system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd -q never
When I restarts smartd next messages appears in audit.log: [root@srv-1.home ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
I tried to create SELinux policy using audit2allow: [root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
Thank you.
On 01/12/2013 04:35 AM, Ilyas -- wrote:
[root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
If you need to create your own rules, the first thing you need to do is capture the audit log, and set the system into permissive mode:
tail -f /var/log/audit/audit.log In a new terminal: setenforce permissive
Now, run the process that's generating AVCs. Run through its standard operations. When that's done, use all of the relevant AVCs that you captured through audit2why to make sure that there's not an existing boolean that can be flipped. Assuming there isn't, run them through audit2allow -M.
Mode set to permissive:
[root@srv-1.home ~]# cat /tmp/1.log | grep type=AVC type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
audit2why results:
[root@srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2why type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Create loadable module:
[root@srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2allow -M smartd_my ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i smartd_my.pp
Load module:
[root@srv-1.home ~]# semodule -i smartd_my.pp [root@srv-1.home ~]# echo $? 0
Check that module exists in modules list:
[root@srv-1.home ~]# semodule -l | grep smartd smartd_my 1.0
Check that current mode is enforcing:
[root@srv-1.home ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
Restart smartd (service smartd restart) and check audit.log again:
[root@srv-1.home tmp]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
audit2why run on last AVCs: [root@srv-1.home tmp]# cat 2.log | audit2why type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by: Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
Where my mistake?
On Sun, Jan 13, 2013 at 2:55 AM, Gordon Messmer yinyang@eburg.com wrote:
On 01/12/2013 04:35 AM, Ilyas -- wrote:
[root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
If you need to create your own rules, the first thing you need to do is capture the audit log, and set the system into permissive mode:
tail -f /var/log/audit/audit.log In a new terminal: setenforce permissive
Now, run the process that's generating AVCs. Run through its standard operations. When that's done, use all of the relevant AVCs that you captured through audit2why to make sure that there's not an existing boolean that can be flipped. Assuming there isn't, run them through audit2allow -M.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 01/13/2013 04:11 AM, Ilyas -- wrote:
Where my mistake?
Good question. I don't see "{ read }" in your early AVC list, so it's possible that you hadn't yet run through all of the standard operations for smartd when you generated the policy. However, "{ getattr }" appears both before and after, and that's odd.
What ended up in the file smartd_my.te?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/13/2013 08:40 PM, Gordon Messmer wrote:
On 01/13/2013 04:11 AM, Ilyas -- wrote:
Where my mistake?
Good question. I don't see "{ read }" in your early AVC list, so it's possible that you hadn't yet run through all of the standard operations for smartd when you generated the policy. However, "{ getattr }" appears both before and after, and that's odd.
What ended up in the file smartd_my.te?
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You are seeing a constraint violation.
Add mcs_file_read_all(fsdaemon_t) to your te file, recompile and install.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/12/2013 07:35 AM, Ilyas -- wrote:
Hello,
I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter).
Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process.
[root@srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
[root@srv-1.home ~]# ps axwZ | grep smart[d] system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd -q never
When I restarts smartd next messages appears in audit.log: [root@srv-1.home ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
I tried to create SELinux policy using audit2allow: [root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
Thank you.
BTW This will be fixed in the RHEL6.4 version of policy.
Now if people would just pay for subscriptions...
Daniel!
Great news!
Thank you.
On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh dwalsh@redhat.com wrote:
On 01/12/2013 07:35 AM, Ilyas -- wrote:
Hello,
I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter).
Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process.
[root@srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
[root@srv-1.home ~]# ps axwZ | grep smart[d] system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd -q never
When I restarts smartd next messages appears in audit.log: [root@srv-1.home ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
I tried to create SELinux policy using audit2allow: [root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
Thank you.
BTW This will be fixed in the RHEL6.4 version of policy.
Now if people would just pay for subscriptions...
Dear Daniel,
BTW This will be fixed in the RHEL6.4 version of policy.
is new policy already available in rhel6.4?
On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/12/2013 07:35 AM, Ilyas -- wrote:
Hello,
I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter).
Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process.
[root@srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
[root@srv-1.home ~]# ps axwZ | grep smart[d] system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd -q never
When I restarts smartd next messages appears in audit.log: [root@srv-1.home ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
I tried to create SELinux policy using audit2allow: [root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
Thank you.
BTW This will be fixed in the RHEL6.4 version of policy.
Now if people would just pay for subscriptions...
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD0QU0ACgkQrlYvE4MpobOOMACfQaJuZn+FZ9RQarjU8r8x0cdK ch8AoJ1f/srOEgu6dTDKP2m8ow6mQ8ER =cCad -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/10/2013 09:11 AM, Ilyas -- wrote:
Dear Daniel,
BTW This will be fixed in the RHEL6.4 version of policy.
is new policy already available in rhel6.4?
Yes I believe so.
On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh dwalsh@redhat.com wrote: On 01/12/2013 07:35 AM, Ilyas -- wrote:
Hello,
I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter).
Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks (files in /dev) which attached to KVM guest has SELinux context which inaccessible from context of smartd process.
[root@srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
[root@srv-1.home ~]# ps axwZ | grep smart[d] system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd -q never
When I restarts smartd next messages appears in audit.log: [root@srv-1.home ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
I tried to create SELinux policy using audit2allow: [root@srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M smartd_svirt_image [root@srv-1.home ~]# semodule -i smartd_svirt_image.pp but it not helped to solve problem.
How I can create permissive rule for selinux in my case?
Thank you.
BTW This will be fixed in the RHEL6.4 version of policy.
Now if people would just pay for subscriptions...
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/10/2013 09:11 AM, Ilyas -- wrote:
Yes.
In which package/version?
I've updated my home NAS to CentOS6.4 but it still has problem with access drives which passed to virtual machines.
On Mon, Mar 11, 2013 at 6:31 PM, Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/10/2013 09:11 AM, Ilyas -- wrote:
Yes.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlE96q4ACgkQrlYvE4MpobNeIgCg333iYi55Q09gtyXYJ07RB8le +R4AnREX697Fuq+l/a1pwH6z2MG1lMtV =LVis -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/11/2013 01:10 PM, Ilyas -- wrote:
In which package/version?
I've updated my home NAS to CentOS6.4 but it still has problem with access drives which passed to virtual machines.
On Mon, Mar 11, 2013 at 6:31 PM, Daniel J Walsh dwalsh@redhat.com wrote: On 03/10/2013 09:11 AM, Ilyas -- wrote:
Yes.
I believe it should be in selinux-policy-3.7.19-195.el6
-
Daniel J Walsh -
Gordon Messmer -
Ilyas --