Bug 794603

Summary: /dev/megaraid_sas_ioctl_node has the incorrect fcontext for smartd
Product: [Fedora] Fedora Reporter: Scott Shambarger <scott-fedora>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-84.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 809716 (view as bug list) Environment:
Last Closed: 2012-04-22 03:35:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 809716    

Description Scott Shambarger 2012-02-17 06:31:26 UTC 
Description of problem:
I'm monitoring some disks on a Megaraid controller using smartd, but I'm hitting selinux limits such as the following:

# audit2why -b
type=AVC msg=audit(1329459841.923:19): avc:  denied  { create } for  pid=937 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

# audit2allow -b
#============= fsdaemon_t ==============
allow fsdaemon_t device_t:chr_file create;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-75

How reproducible:
Always with selinux enabled

Steps to Reproduce:
1. install megaraid controller with disks attached.
2. configure smartd.conf for a disk on controller, such as '/dev/sdc -d sat+megaraid,8 ...'
3. start smartd
  
Actual results:
/dev/megaraid_sas_ioctl_node cannot be created by smartd.

Expected results:
/dev/megaraid_sas_ioctl_node should have selinux type fixed_disk_device_t, so that smartd can read/write etc the device

Additional info:
With selinux in permissive (so /dev/megaraid_sas_ioctl_node is created), I add the following:

semanage fcontext -a -t fixed_disk_device_t /dev/megaraid_sas_ioctl_node

and restorecon -r /dev.  However, after a fresh boot, /dev/megaraid_sas_ioctl_node is created with a type of device_t even with the local configuration above.

Also, /dev/megaraid_sas_ioctl_node has an access of 000, which even though it's only read/write by root, is probably incorrect (may be separate bug).  Entry after reboot:

ls -lZ /dev/megaraid_sas_ioctl_node
c---------. root root system_u:object_r:device_t:s0    /dev/megaraid_sas_ioctl_node

With the above configuration, the original problem still occurs with selinux in enforcing mode (ie, /dev/megaraid_sas_ioctl_node cannot be created).
Comment 1 Miroslav Grepl 2012-02-20 14:35:09 UTC 
I am adding fixes to F16, F17.
Comment 2 Miroslav Grepl 2012-02-20 14:38:49 UTC 
Actually, Dan has already added it to F17. Backporting.
Comment 3 Scott Shambarger 2012-03-07 05:45:30 UTC 
Has this already been put in testing?  I've installed selinux-policy-targeted-3.10.0-78 from testing and found the following entry in /etc/selinux/targeted/contexts/files/file_contexts:

/dev/megaraid_sas_ioctl_node -c system_u:object_r:fixed_disk_device_t:s0

However, if I reboot and allow smartd to start fresh, I still get an audit error:

avc:  denied  { create } for  pid=930 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Not sure why the tcontext is still device_t with the above rule active, but perhaps file creation uses different rules to determine access?
Comment 4 Miroslav Grepl 2012-03-07 09:22:39 UTC 
Could you test it with the latest build


rpms:
 http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/79.fc16/noarch/selinux-policy-3.10.0-79.fc16.noarch.rpm
 
 http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/79.fc16/noarch/selinux-policy-targeted-3.10.0-79.fc16.noarch.rpm
Comment 5 Scott Shambarger 2012-03-07 18:58:53 UTC 
Just installed the rpms above, and rebooted.  Still get exactly the same denial in comment 3...
Comment 6 Daniel Walsh 2012-03-07 19:24:57 UTC 
9ec650cf1666a2374ce4d29449456cc39062dd47 fixes this problem.

You are only transitioning on blk file not chr_file.
Comment 7 Fedora Update System 2012-03-13 12:25:06 UTC 
selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
Comment 8 Scott Shambarger 2012-03-13 14:14:56 UTC 
Installed 3.10.0-80 and rebooted.  Still same denial:

avc:  denied  { create } for  pid=902 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Comment 9 Miroslav Grepl 2012-03-13 18:53:50 UTC 
Let's me check it.
Comment 10 Fedora Update System 2012-03-21 02:24:13 UTC 
Package selinux-policy-3.10.0-80.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
then log in and leave karma (feedback).
Comment 11 Scott Shambarger 2012-03-21 04:28:42 UTC 
Since this is the same package as the one listed in comment #7, and has the problems listed in comment #8, it clearly does not fix the bug.  The issue remains open I guess...
Comment 12 Miroslav Grepl 2012-03-21 07:32:25 UTC 
Yes, it does not.
Comment 13 Fedora Update System 2012-03-24 00:36:21 UTC 
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Scott Shambarger 2012-03-24 02:55:31 UTC 
Not sure why this was closed, as mentioned above, the bug is NOT fixed in
3.10.0-80
Comment 15 Miroslav Grepl 2012-03-26 10:19:14 UTC 
I did not remove the bug from this update in the bodhi.
Comment 16 Miroslav Grepl 2012-04-04 08:49:17 UTC 
I have just found a bug.

Fixed in selinux-policy-3.10.0-82.fc16
Comment 17 Scott Shambarger 2012-04-15 05:20:37 UTC 
Updated to 3.10.0-82, and still receive:

audit(1334466632.639:4): avc:  denied  { create } for  pid=872 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Note also that 'audit2allow -b' and 'audit2why -b' are both broken in -82... not sure if it's related (they show no output even though the above error is in /var/log/messages).
Comment 18 Miroslav Grepl 2012-04-16 06:40:35 UTC 
It works for me with -83.fc16 which is now building.

# runcon -u system_u -r system_r -t initrc_t -- runcon -t fsdaemon_t -- mknod /dev/megaraid_sas_ioctl_node c <major> <minor>
# ls -Z /dev/megaraid_sas_ioctl_node 
crw-r--r--. root root system_u:object_r:fixed_disk_device_t:s0 /dev/megaraid_sas_ioctl_node
Comment 19 Scott Shambarger 2012-04-16 18:21:24 UTC 
Installed -83, and it finally works :)

I couldn't test with the above in enforcing (denied { entrypoint } comm="runcon" path="/bin/mknod"), but that's not really important...

smartd can now correctly create and use the device.  Looking forward to giving the release karma. :)
Comment 20 Fedora Update System 2012-04-18 12:52:59 UTC 
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 21 Fedora Update System 2012-04-22 03:35:08 UTC 
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.