-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2013 09:11 AM, Ilyas -- wrote: > Dear Daniel, > >> BTW This will be fixed in the RHEL6.4 version of policy. > > is new policy already available in rhel6.4? > Yes I believe so. > On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh <dwalsh at redhat.com> wrote: > On 01/12/2013 07:35 AM, Ilyas -- wrote: >>>> Hello, >>>> >>>> I'm using HP homeserver where host system run CentOS 6.3 with KVM >>>> virtualization with SELinux enabled, guests too run the same OS (but >>>> without SELinux, but this does not matter). >>>> >>>> Host system installed on mirrors based on sda and sdb physical >>>> disks. sd{c..f} disks attached to KVM guest (whole disks, not >>>> partitions; needed to use zfs (zfsonlinux) benefit features). Problem >>>> is that disks (files in /dev) which attached to KVM guest has SELinux >>>> context which inaccessible from context of smartd process. >>>> >>>> [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk >>>> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root >>>> disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. >>>> qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc >>>> brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 >>>> /dev/sdd brw-rw----. qemu qemu >>>> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. >>>> qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf >>>> >>>> [root at srv-1.home ~]# ps axwZ | grep smart[d] >>>> system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 >>>> /usr/sbin/smartd -q never >>>> >>>> When I restarts smartd next messages appears in audit.log: >>>> [root at srv-1.home ~]# tail -F /var/log/audit/audit.log | grep >>>> type=AVC type=AVC msg=audit(1357993548.964:8529): avc: denied { >>>> getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs >>>> ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc: denied >>>> { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs >>>> ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc: denied >>>> { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs >>>> ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc: denied >>>> { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs >>>> ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc: denied >>>> { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs >>>> ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc: denied >>>> { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs >>>> ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc: denied >>>> { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs >>>> ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc: denied >>>> { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs >>>> ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 >>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 >>>> tclass=blk_file >>>> >>>> I tried to create SELinux policy using audit2allow: [root at srv-1.home >>>> ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M >>>> smartd_svirt_image [root at srv-1.home ~]# semodule -i >>>> smartd_svirt_image.pp but it not helped to solve problem. >>>> >>>> How I can create permissive rule for selinux in my case? >>>> >>>> Thank you. >>>> > BTW This will be fixed in the RHEL6.4 version of policy. > > Now if people would just pay for subscriptions... > > >> _______________________________________________ CentOS mailing list >> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlE94LoACgkQrlYvE4MpobNZfwCg5udTO1LuhQHrCrbr0WlkSJoG dG0AoMPx/rd2trH/VkfMlNfsk44hjXBS =K3E5 -----END PGP SIGNATURE-----