Mode set to permissive: [root at srv-1.home ~]# cat /tmp/1.log | grep type=AVC type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file audit2why results: [root at srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2why type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Create loadable module: [root at srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2allow -M smartd_my ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i smartd_my.pp Load module: [root at srv-1.home ~]# semodule -i smartd_my.pp [root at srv-1.home ~]# echo $? 0 Check that module exists in modules list: [root at srv-1.home ~]# semodule -l | grep smartd smartd_my 1.0 Check that current mode is enforcing: [root at srv-1.home ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted Restart smartd (service smartd restart) and check audit.log again: [root at srv-1.home tmp]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file audit2why run on last AVCs: [root at srv-1.home tmp]# cat 2.log | audit2why type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). Where my mistake? On Sun, Jan 13, 2013 at 2:55 AM, Gordon Messmer <yinyang at eburg.com> wrote: > On 01/12/2013 04:35 AM, Ilyas -- wrote: >> [root at srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd | >> audit2allow -M smartd_svirt_image >> [root at srv-1.home ~]# semodule -i smartd_svirt_image.pp >> but it not helped to solve problem. >> >> How I can create permissive rule for selinux in my case? > > If you need to create your own rules, the first thing you need to do is > capture the audit log, and set the system into permissive mode: > > tail -f /var/log/audit/audit.log > In a new terminal: > setenforce permissive > > Now, run the process that's generating AVCs. Run through its standard > operations. When that's done, use all of the relevant AVCs that you > captured through audit2why to make sure that there's not an existing > boolean that can be flipped. Assuming there isn't, run them through > audit2allow -M. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos -- GPG Key ID: 6EC5EB27