Hide Forgot
Description of problem: If you start smartd with the -s option as specified in /etc/sysconfig/smartmontools: Add -s /var/lib/smartmontools to enable state persistence smartd will try to read/write in that directory. Except it cannot: type=AVC msg=audit(1524173728.395:119): avc: denied { write } for pid=989 comm="smartd" name="lib" dev="dm-1" ino=222572 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 This appears similar to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720631 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-283.30.fc27.noarch smartmontools-6.5-5.fc27.x86_64 How reproducible: Always. Steps to Reproduce: 1. enable -s /var/lib/smartmontools in /etc/sysconfig/smartmontools 2. restart smartd
Problem is still present in F28. SELinux is preventing smartd from write access on the directory /var/lib. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow smartd to have write access on the lib directory Then you need to change the label on /var/lib Do # semanage fcontext -a -t FILE_TYPE '/var/lib' where FILE_TYPE is one of the following: device_t, fsdaemon_tmp_t, fsdaemon_var_lib_t, fsdaemon_var_run_t, tmp_t, var_run_t. Then execute: restorecon -v '/var/lib' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that smartd should be allowed write access on the lib directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smartd' --raw | audit2allow -M my-smartd # semodule -X 300 -i my-smartd.pp Additional Information: Source Context system_u:system_r:fsdaemon_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib [ dir ] Source smartd Source Path smartd Port <Unknown> Host garbage Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name garbage Platform Linux garbage 4.16.8-300.fc28.x86_64 #1 SMP Wed May 9 20:23:40 UTC 2018 x86_64 x86_64 Alert Count 497 First Seen 2018-05-08 02:19:59 CEST Last Seen 2018-05-15 21:56:10 CEST Local ID 10c0736a-58f2-4efd-b81c-943682f6c019 Raw Audit Messages type=AVC msg=audit(1526414170.225:143): avc: denied { write } for pid=1853 comm="smartd" name="lib" dev="dm-0" ino=135944 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
Well I don't know if anything about that case was changed but it works without the new package. I double checked what smartd does and read the man page again: the path must have a final / or smartd will try to create files under /var/lib/ if you give /var/lib/smartmontools as a parameter... Please accept my apologies about that. Either revert the changes you made for smartd or just resolve this bug.
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.