[CentOS] selinux + kvm virtualization + smartd problem

Sun Jan 13 12:11:13 UTC 2013
Ilyas -- <umask00 at gmail.com>

Mode set to permissive:

[root at srv-1.home ~]# cat /tmp/1.log | grep type=AVC
type=AVC msg=audit(1358078455.215:9598): avc:  denied  { getattr } for
 pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078455.425:9599): avc:  denied  { read } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078455.425:9599): avc:  denied  { open } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078455.425:9600): avc:  denied  { ioctl } for
pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

audit2why results:

[root at srv-1.home ~]# cat /tmp/1.log  | grep type=AVC | audit2why
type=AVC msg=audit(1358078455.215:9598): avc:  denied  { getattr } for
 pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1358078455.425:9599): avc:  denied  { read } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1358078455.425:9599): avc:  denied  { open } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1358078455.425:9600): avc:  denied  { ioctl } for
pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


Create loadable module:

[root at srv-1.home ~]# cat /tmp/1.log  | grep type=AVC | audit2allow -M smartd_my
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i smartd_my.pp


Load module:

[root at srv-1.home ~]# semodule -i smartd_my.pp
[root at srv-1.home ~]# echo $?
0

Check that module exists in modules list:

[root at srv-1.home ~]# semodule -l | grep smartd
smartd_my	1.0	

Check that current mode is enforcing:

[root at srv-1.home ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted


Restart smartd (service smartd restart) and check audit.log again:

[root at srv-1.home tmp]# tail -F /var/log/audit/audit.log  | grep type=AVC
type=AVC msg=audit(1358078926.829:9609): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078926.829:9610): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078926.829:9611): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078926.829:9612): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9613): avc:  denied  { read } for
pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9614): avc:  denied  { read } for
pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9615): avc:  denied  { read } for
pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9616): avc:  denied  { read } for
pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

audit2why run on last AVCs:
[root at srv-1.home tmp]# cat 2.log | audit2why
type=AVC msg=audit(1358078926.829:9609): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1358078926.829:9610): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1358078926.829:9611): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1358078926.829:9612): avc:  denied  { getattr } for
 pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1358078927.185:9613): avc:  denied  { read } for
pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1358078927.185:9614): avc:  denied  { read } for
pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1358078927.185:9615): avc:  denied  { read } for
pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1358078927.185:9616): avc:  denied  { read } for
pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy
the constraint.

		Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).



Where my mistake?

On Sun, Jan 13, 2013 at 2:55 AM, Gordon Messmer <yinyang at eburg.com> wrote:
> On 01/12/2013 04:35 AM, Ilyas -- wrote:
>> [root at srv-1.home  ~]# cat /var/log/audit/audit.log | grep smartd |
>> audit2allow -M smartd_svirt_image
>> [root at srv-1.home  ~]# semodule -i smartd_svirt_image.pp
>> but it not helped to solve problem.
>>
>> How I can create permissive rule for selinux in my case?
>
> If you need to create your own rules, the first thing you need to do is
> capture the audit log, and set the system into permissive mode:
>
>    tail -f /var/log/audit/audit.log
> In a new terminal:
>    setenforce permissive
>
> Now, run the process that's generating AVCs.  Run through its standard
> operations.  When that's done, use all of the relevant AVCs that you
> captured through audit2why to make sure that there's not an existing
> boolean that can be flipped.  Assuming there isn't, run them through
> audit2allow -M.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos



-- 
GPG Key ID: 6EC5EB27