Bug 717152

Summary: enforcing MLS: smartd is blocked by SELinux
Product: Red Hat Enterprise Linux 5 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.7CC: dwalsh, ksrot
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-317.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 05:47:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2011-06-28 07:42:00 UTC
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-315.el5
selinux-policy-2.4.6-315.el5
selinux-policy-devel-2.4.6-315.el5
selinux-policy-targeted-2.4.6-315.el5
selinux-policy-minimum-2.4.6-315.el5
selinux-policy-strict-2.4.6-315.el5
smartmontools-5.38-2.el5

How reproducible:
always

Steps to Reproduce:
* get a freshly installed RHEL-5.7 machine with active MLS policy
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# run_init service smartd status
Authenticating root.
Password: 
smartd is stopped
# run_init service smartd start
Authenticating root.
Password: 
Starting smartd: [FAILED]
# run_init service smartd status
Authenticating root.
Password: 
smartd is stopped
# 
  
Actual results:
----
time->Tue Jun 28 03:33:55 2011
type=SYSCALL msg=audit(1309246435.910:83): arch=40000003 syscall=11 success=yes exit=0 a0=a071918 a1=a071a38 a2=a071c68 a3=0 items=0 ppid=2904 pid=2905 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=system_u:system_r:fsdaemon_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1309246435.910:83): avc:  denied  { use } for  pid=2905 comm="smartd" path="/dev/pts/0" dev=devpts ino=2 scontext=system_u:system_r:fsdaemon_t:s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1309246435.910:83): avc:  denied  { use } for  pid=2905 comm="smartd" path="/dev/pts/0" dev=devpts ino=2 scontext=system_u:system_r:fsdaemon_t:s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1309246435.910:83): avc:  denied  { use } for  pid=2905 comm="smartd" path="/dev/pts/0" dev=devpts ino=2 scontext=system_u:system_r:fsdaemon_t:s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
----
time->Tue Jun 28 03:33:55 2011
type=SYSCALL msg=audit(1309246435.913:84): arch=40000003 syscall=125 success=no exit=-13 a0=bf7000 a1=1000 a2=1 a3=1d98 items=0 ppid=2904 pid=2905 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="smartd" exe="/usr/sbin/smartd" subj=system_u:system_r:fsdaemon_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1309246435.913:84): avc:  denied  { use } for  pid=2905 comm="smartd" path="/usr/sbin/smartd" dev=dm-0 ino=505378 scontext=system_u:system_r:fsdaemon_t:s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
----

Expected results:
* no AVCs

Comment 1 Milos Malik 2011-06-28 08:43:23 UTC
audit2why says:

type=AVC msg=audit(1309249961.627:192): avc:  denied  { use } for  pid=29380 comm="smartd" path="/usr/sbin/smartd" dev=dm-0 ino=505378 scontext=system_u:system_r:fsdaemon_t:s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=fd
	Was caused by:
		Constraint violation.
		Check policy/constraints.
		Typically, you just need to add a type attribute to the domain to satisfy the constraint.

Comment 2 Daniel Walsh 2011-06-28 10:37:31 UTC
RHEL6 has

 mls_fd_share_all_levels(initrc_t)

Comment 4 Miroslav Grepl 2011-09-29 11:31:18 UTC
Fixed in selinux-policy-2.4.6-317.el5

Comment 7 errata-xmlrpc 2012-02-21 05:47:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html