[CentOS] selinux + kvm virtualization + smartd problem

Mon Mar 11 13:48:42 UTC 2013
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/10/2013 09:11 AM, Ilyas -- wrote:
> Dear Daniel,
> 
>> BTW This will be fixed in the RHEL6.4 version of policy.
> 
> is new policy already available in rhel6.4?
> 
Yes I believe so.
> On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh <dwalsh at redhat.com> wrote: 
> On 01/12/2013 07:35 AM, Ilyas -- wrote:
>>>> Hello,
>>>> 
>>>> I'm using HP homeserver where host system run CentOS 6.3 with KVM 
>>>> virtualization with SELinux enabled, guests too run the same OS (but 
>>>> without SELinux, but this does not matter).
>>>> 
>>>> Host system installed on mirrors based on sda and sdb physical
>>>> disks. sd{c..f} disks attached to KVM guest (whole disks, not
>>>> partitions; needed to use zfs (zfsonlinux) benefit features). Problem
>>>> is that disks (files in /dev) which attached to KVM guest has SELinux
>>>> context which inaccessible from context of smartd process.
>>>> 
>>>> [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk 
>>>> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root
>>>> disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----.
>>>> qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc
>>>> brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675
>>>> /dev/sdd brw-rw----. qemu qemu 
>>>> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----.
>>>> qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
>>>> 
>>>> [root at srv-1.home ~]# ps axwZ | grep smart[d] 
>>>> system_u:system_r:fsdaemon_t:s0  1762 ?        S      0:00
>>>> /usr/sbin/smartd -q never
>>>> 
>>>> When I restarts smartd next messages appears in audit.log:
>>>> [root at srv-1.home ~]# tail -F /var/log/audit/audit.log   | grep
>>>> type=AVC type=AVC msg=audit(1357993548.964:8529): avc:  denied  {
>>>> getattr } for pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs
>>>> ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file type=AVC msg=audit(1357993548.965:8530): avc:  denied
>>>> { getattr } for pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs
>>>> ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file type=AVC msg=audit(1357993548.966:8531): avc:  denied
>>>> { getattr } for pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs
>>>> ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file type=AVC msg=audit(1357993548.966:8532): avc:  denied
>>>> { getattr } for pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs
>>>> ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8533): avc:  denied
>>>> { read } for pid=21321 comm="smartd" name="sdc" dev=devtmpfs
>>>> ino=6327 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8534): avc:  denied
>>>> { read } for pid=21321 comm="smartd" name="sdd" dev=devtmpfs
>>>> ino=6321 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8535): avc:  denied
>>>> { read } for pid=21321 comm="smartd" name="sde" dev=devtmpfs
>>>> ino=6324 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file type=AVC msg=audit(1357993549.198:8536): avc:  denied
>>>> { read } for pid=21321 comm="smartd" name="sdf" dev=devtmpfs
>>>> ino=6330 scontext=unconfined_u:system_r:fsdaemon_t:s0 
>>>> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675
>>>> tclass=blk_file
>>>> 
>>>> I tried to create SELinux policy using audit2allow: [root at srv-1.home
>>>> ~]# cat /var/log/audit/audit.log | grep smartd | audit2allow -M 
>>>> smartd_svirt_image [root at srv-1.home ~]# semodule -i
>>>> smartd_svirt_image.pp but it not helped to solve problem.
>>>> 
>>>> How I can create permissive rule for selinux in my case?
>>>> 
>>>> Thank you.
>>>> 
> BTW This will be fixed in the RHEL6.4 version of policy.
> 
> Now if people would just pay for subscriptions...
> 
> 
>> _______________________________________________ CentOS mailing list 
>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlE94LoACgkQrlYvE4MpobNZfwCg5udTO1LuhQHrCrbr0WlkSJoG
dG0AoMPx/rd2trH/VkfMlNfsk44hjXBS
=K3E5
-----END PGP SIGNATURE-----