[CentOS] selinux + kvm virtualization + smartd problem
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 14 17:33:01 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/12/2013 07:35 AM, Ilyas -- wrote:
> Hello,
>
> I'm using HP homeserver where host system run CentOS 6.3 with KVM
> virtualization with SELinux enabled, guests too run the same OS (but
> without SELinux, but this does not matter).
>
> Host system installed on mirrors based on sda and sdb physical disks.
> sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed
> to use zfs (zfsonlinux) benefit features). Problem is that disks (files in
> /dev) which attached to KVM guest has SELinux context which inaccessible
> from context of smartd process.
>
> [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
>
> [root at srv-1.home ~]# ps axwZ | grep smart[d]
> system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd
> -q never
>
> When I restarts smartd next messages appears in audit.log: [root at srv-1.home
> ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC
> msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321
> comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for
> pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for
> pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for
> pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for
> pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for
> pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for
> pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for
> pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330
> scontext=unconfined_u:system_r:fsdaemon_t:s0
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
>
> I tried to create SELinux policy using audit2allow: [root at srv-1.home ~]#
> cat /var/log/audit/audit.log | grep smartd | audit2allow -M
> smartd_svirt_image [root at srv-1.home ~]# semodule -i smartd_svirt_image.pp
> but it not helped to solve problem.
>
> How I can create permissive rule for selinux in my case?
>
> Thank you.
>
BTW This will be fixed in the RHEL6.4 version of policy.
Now if people would just pay for subscriptions...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD0QU0ACgkQrlYvE4MpobOOMACfQaJuZn+FZ9RQarjU8r8x0cdK
ch8AoJ1f/srOEgu6dTDKP2m8ow6mQ8ER
=cCad
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list