[CentOS] selinux + kvm virtualization + smartd problem

Mon Jan 14 18:27:33 UTC 2013
Ilyas -- <umask00 at gmail.com>

Daniel!

Great news!

Thank you.


On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> On 01/12/2013 07:35 AM, Ilyas -- wrote:
>> Hello,
>>
>> I'm using HP homeserver where host system run CentOS 6.3 with KVM
>> virtualization with SELinux enabled, guests too run the same OS (but
>> without SELinux, but this does not matter).
>>
>> Host system installed on mirrors based on sda and sdb physical disks.
>> sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed
>> to use zfs (zfsonlinux) benefit features). Problem is that disks (files in
>> /dev) which attached to KVM guest has SELinux context which inaccessible
>> from context of smartd process.
>>
>> [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk
>> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk
>> system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu
>> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu
>> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu
>> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu
>> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
>>
>> [root at srv-1.home ~]# ps axwZ | grep smart[d]
>> system_u:system_r:fsdaemon_t:s0  1762 ?        S      0:00 /usr/sbin/smartd
>> -q never
>>
>> When I restarts smartd next messages appears in audit.log: [root at srv-1.home
>> ~]# tail -F /var/log/audit/audit.log   | grep type=AVC type=AVC
>> msg=audit(1357993548.964:8529): avc:  denied  { getattr } for pid=21321
>> comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>> type=AVC msg=audit(1357993548.965:8530): avc:  denied  { getattr } for
>> pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>> type=AVC msg=audit(1357993548.966:8531): avc:  denied  { getattr } for
>> pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>> type=AVC msg=audit(1357993548.966:8532): avc:  denied  { getattr } for
>> pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>> type=AVC msg=audit(1357993549.198:8533): avc:  denied  { read } for
>> pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>> type=AVC msg=audit(1357993549.198:8534): avc:  denied  { read } for
>> pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>> type=AVC msg=audit(1357993549.198:8535): avc:  denied  { read } for
>> pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>> type=AVC msg=audit(1357993549.198:8536): avc:  denied  { read } for
>> pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330
>> scontext=unconfined_u:system_r:fsdaemon_t:s0
>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>>
>> I tried to create SELinux policy using audit2allow: [root at srv-1.home ~]#
>> cat /var/log/audit/audit.log | grep smartd | audit2allow -M
>> smartd_svirt_image [root at srv-1.home ~]# semodule -i smartd_svirt_image.pp
>> but it not helped to solve problem.
>>
>> How I can create permissive rule for selinux in my case?
>>
>> Thank you.
>>
> BTW This will be fixed in the RHEL6.4 version of policy.
>
> Now if people would just pay for subscriptions...
>




-- 
GPG Key ID: 6EC5EB27