[CentOS] selinux + kvm virtualization + smartd problem

Sat Jan 12 12:35:30 UTC 2013
Ilyas -- <umask00 at gmail.com>

Hello,

I'm using HP homeserver where host system run CentOS 6.3 with KVM
virtualization with SELinux enabled, guests too run the same OS (but
without SELinux, but this does not matter).

Host system installed on mirrors based on sda and sdb physical disks.
sd{c..f} disks attached to KVM guest (whole disks, not partitions;
needed to use zfs (zfsonlinux) benefit features). Problem is that
disks (files in /dev) which attached to KVM guest has SELinux context
which inaccessible from context of smartd process.

[root at srv-1.home ~]# ls -laZ /dev/sd{a..f}
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf

[root at srv-1.home ~]# ps axwZ | grep smart[d]
system_u:system_r:fsdaemon_t:s0  1762 ?        S      0:00
/usr/sbin/smartd -q never

When I restarts smartd next messages appears in audit.log:
[root at srv-1.home ~]# tail -F /var/log/audit/audit.log   | grep type=AVC
type=AVC msg=audit(1357993548.964:8529): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993548.965:8530): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993548.966:8531): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993548.966:8532): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8533): avc:  denied  { read } for
pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8534): avc:  denied  { read } for
pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8535): avc:  denied  { read } for
pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8536): avc:  denied  { read } for
pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

I tried to create SELinux policy using audit2allow:
[root at srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd |
audit2allow -M smartd_svirt_image
[root at srv-1.home ~]# semodule -i smartd_svirt_image.pp
but it not helped to solve problem.

How I can create permissive rule for selinux in my case?

Thank you.

-- 
GPG Key ID: 6EC5EB27