[CentOS] selinux + kvm virtualization + smartd problem
Ilyas --
umask00 at gmail.com
Sun Jan 13 12:11:13 UTC 2013
Mode set to permissive:
[root at srv-1.home ~]# cat /tmp/1.log | grep type=AVC
type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for
pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for
pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
audit2why results:
[root at srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2why
type=AVC msg=audit(1358078455.215:9598): avc: denied { getattr } for
pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9599): avc: denied { read } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9599): avc: denied { open } for
pid=2521 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1358078455.425:9600): avc: denied { ioctl } for
pid=2521 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Create loadable module:
[root at srv-1.home ~]# cat /tmp/1.log | grep type=AVC | audit2allow -M smartd_my
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i smartd_my.pp
Load module:
[root at srv-1.home ~]# semodule -i smartd_my.pp
[root at srv-1.home ~]# echo $?
0
Check that module exists in modules list:
[root at srv-1.home ~]# semodule -l | grep smartd
smartd_my 1.0
Check that current mode is enforcing:
[root at srv-1.home ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Restart smartd (service smartd restart) and check audit.log again:
[root at srv-1.home tmp]# tail -F /var/log/audit/audit.log | grep type=AVC
type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for
pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for
pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for
pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for
pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
audit2why run on last AVCs:
[root at srv-1.home tmp]# cat 2.log | audit2why
type=AVC msg=audit(1358078926.829:9609): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9610): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9611): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078926.829:9612): avc: denied { getattr } for
pid=2654 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9613): avc: denied { read } for
pid=2654 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9614): avc: denied { read } for
pid=2654 comm="smartd" name="sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9615): avc: denied { read } for
pid=2654 comm="smartd" name="sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
type=AVC msg=audit(1358078927.185:9616): avc: denied { read } for
pid=2654 comm="smartd" name="sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy
the constraint.
Constraints are defined in the policy sources in policy/constraints
(general), policy/mcs (MCS), and policy/mls (MLS).
Where my mistake?
On Sun, Jan 13, 2013 at 2:55 AM, Gordon Messmer <yinyang at eburg.com> wrote:
> On 01/12/2013 04:35 AM, Ilyas -- wrote:
>> [root at srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd |
>> audit2allow -M smartd_svirt_image
>> [root at srv-1.home ~]# semodule -i smartd_svirt_image.pp
>> but it not helped to solve problem.
>>
>> How I can create permissive rule for selinux in my case?
>
> If you need to create your own rules, the first thing you need to do is
> capture the audit log, and set the system into permissive mode:
>
> tail -f /var/log/audit/audit.log
> In a new terminal:
> setenforce permissive
>
> Now, run the process that's generating AVCs. Run through its standard
> operations. When that's done, use all of the relevant AVCs that you
> captured through audit2why to make sure that there's not an existing
> boolean that can be flipped. Assuming there isn't, run them through
> audit2allow -M.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
--
GPG Key ID: 6EC5EB27
More information about the CentOS
mailing list