| Summary: | SELinux is preventing /usr/sbin/smartd from 'create' accesses on the chr_file twe0. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mark Harig <tpeplt> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f283fe3e4f228321c6a6146c81744d9ac116da0d00d9b1440d4c98e0561494b5 | ||
| Fixed In Version: | selinux-policy-3.9.7-37.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-22 18:52:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Following the SELinux Alert Browser's instructions: $ sudo grep smartd /var/log/audit/audit.log | audit2allow -M mypol $ sudo semodule -i mypol.pp and then rebooting and logging in, the error seen above is no longer occurring. $ sudo semodule -l | grep mypol mypol 1.0 Messages from "smartd" in /var/log/messages: smartd[2478]: smartd 5.40 2010-10-16 r3189 [x86_64-redhat-linux-gnu] (local build)#012Copyright (C) 2002-10 by Bruce Allen, http://smartmontools.sourceforge.net#012 smartd[2478]: Opened configuration file /etc/smartd.conf smartd[2478]: Configuration file /etc/smartd.conf parsed. smartd[2478]: Device: /dev/twe0 [3ware_disk_00], opened smartd[2478]: Device: /dev/twe0 [3ware_disk_00], found in smartd database. smartd[2478]: Device: /dev/twe0 [3ware_disk_00], enabled SMART Attribute Autosave. smartd[2478]: Device: /dev/twe0 [3ware_disk_00], enabled SMART Automatic Offline Testing. smartd[2478]: Device: /dev/twe0 [3ware_disk_00], is SMART capable. Adding to "monitor" list. smartd[2478]: Device: /dev/twe0 [3ware_disk_01], opened smartd[2478]: Device: /dev/twe0 [3ware_disk_01], found in smartd database. smartd[2478]: Device: /dev/twe0 [3ware_disk_01], enabled SMART Attribute Autosave. smartd[2478]: Device: /dev/twe0 [3ware_disk_01], enabled SMART Automatic Offline Testing. smartd[2478]: Device: /dev/twe0 [3ware_disk_01], is SMART capable. Adding to "monitor" list. smartd[2478]: Monitoring 2 ATA and 0 SCSI devices smartd[2480]: smartd has fork()ed into background mode. New PID=2480. Also, note that this is using selinux-policy-3.9.7-28 from the 'updates-testing' repository. Miroslav lets add storage_create_fixed_disk_dev(fsdaemon_t) to F13/F14 Mark, you can create a custom policy module policy_module(mysmartd, 1.0) gen_require(` type fsdaemon_t; ') storage_create_fixed_disk_dev(fsdaemon_t) Then compile and install it. # make -f /usr/share/selinux/devel/Makefile # semodule -i mysmartd.pp I installed the latest selinux-policy update today and un-installed the local policy that I had installed, as described in Comment 1, above. $ rpm -q selinux-policy selinux-policy-3.9.7-31.fc14.noarch $ sudo semodule -l |grep mypol mypol 1.0 $ sudo semodule -r mypol I rebooted the operating system and checked /var/log/messages for smartd. The error described above still appears. Does this mean that the policy change has not yet been included in selinux-policy? Here are the contents of mypol.te: module mypol 1.0; require { type fsdaemon_t; type fixed_disk_device_t; class chr_file create; } #============= fsdaemon_t ============== allow fsdaemon_t fixed_disk_device_t:chr_file create; I re-installed the local policy (listed in Comment 5) and rebooted. The smartmontools service no longer reports the errors that were originally reported. Since this report is marked as closed, is it known what 'selinux-policy' update I can expect the fix to be available for testing? I have found a bug. Please keep your local policy for now. Thank you. (In reply to comment #7) > I have found a bug. Please keep your local policy for now. Thank you. OK. Please let me know when you have a fix in the test area. I will then install it and let you know what I find. Thank you. You can use the latest F14 selinux-policy which is available from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=231998 selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14 selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14 selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. (In reply to comment #12) > selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable > repository. If problems still persist, please make note of it in this bug > report. After un-installing my local policy, updating to selinux-policy 3.9.7-37, and rebooting, the smartd service was able to start as expected (and special device files /dev/twe[0-15] were created). Thank you! |
SELinux is preventing /usr/sbin/smartd from 'create' accesses on the chr_file twe0. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that smartd should be allowed create access on the twe0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smartd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:fsdaemon_t:s0 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects twe0 [ chr_file ] Source smartd Source Path /usr/sbin/smartd Port <Unknown> Host (removed) Source RPM Packages smartmontools-5.40-3.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-28.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 10 First Seen Fri 04 Feb 2011 12:34:00 AM EST Last Seen Fri 04 Feb 2011 01:21:19 AM EST Local ID dde04082-981e-4943-ba9a-390f8b5077a7 Raw Audit Messages type=AVC msg=audit(1296800479.938:25629): avc: denied { create } for pid=5333 comm="smartd" name="twe0" scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1296800479.938:25629): arch=x86_64 syscall=mknod success=no exit=EACCES a0=7fff59ea1c90 a1=2180 a2=f900 a3=7f8155e741e0 items=0 ppid=5332 pid=5333 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=smartd exe=/usr/sbin/smartd subj=unconfined_u:system_r:fsdaemon_t:s0 key=(null) Hash: smartd,fsdaemon_t,fixed_disk_device_t,chr_file,create audit2allow #============= fsdaemon_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow fsdaemon_t fixed_disk_device_t:chr_file create; audit2allow -R #============= fsdaemon_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow fsdaemon_t fixed_disk_device_t:chr_file create;