Daniel! Great news! Thank you. On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh <dwalsh at redhat.com> wrote: > > On 01/12/2013 07:35 AM, Ilyas -- wrote: >> Hello, >> >> I'm using HP homeserver where host system run CentOS 6.3 with KVM >> virtualization with SELinux enabled, guests too run the same OS (but >> without SELinux, but this does not matter). >> >> Host system installed on mirrors based on sda and sdb physical disks. >> sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed >> to use zfs (zfsonlinux) benefit features). Problem is that disks (files in >> /dev) which attached to KVM guest has SELinux context which inaccessible >> from context of smartd process. >> >> [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk >> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk >> system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf >> >> [root at srv-1.home ~]# ps axwZ | grep smart[d] >> system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd >> -q never >> >> When I restarts smartd next messages appears in audit.log: [root at srv-1.home >> ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC >> msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 >> comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for >> pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for >> pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for >> pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for >> pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for >> pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for >> pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for >> pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> >> I tried to create SELinux policy using audit2allow: [root at srv-1.home ~]# >> cat /var/log/audit/audit.log | grep smartd | audit2allow -M >> smartd_svirt_image [root at srv-1.home ~]# semodule -i smartd_svirt_image.pp >> but it not helped to solve problem. >> >> How I can create permissive rule for selinux in my case? >> >> Thank you. >> > BTW This will be fixed in the RHEL6.4 version of policy. > > Now if people would just pay for subscriptions... > -- GPG Key ID: 6EC5EB27