Bug 1569724 - smartd cannot save state files
Summary: smartd cannot save state files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-19 21:56 UTC by Mathieu Chouquet-Stringer
Modified: 2018-05-26 20:44 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.1-29.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-26 20:44:47 UTC
Type: Bug


Attachments (Terms of Use)

Description Mathieu Chouquet-Stringer 2018-04-19 21:56:35 UTC
Description of problem:
If you start smartd with the -s option as specified in /etc/sysconfig/smartmontools:
Add -s /var/lib/smartmontools to enable state persistence

smartd will try to read/write in that directory.

Except it cannot:

type=AVC msg=audit(1524173728.395:119): avc:  denied  { write } for  pid=989 comm="smartd" name="lib" dev="dm-1" ino=222572 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0

This appears similar to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720631

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-283.30.fc27.noarch
smartmontools-6.5-5.fc27.x86_64


How reproducible:

Always.

Steps to Reproduce:
1. enable -s /var/lib/smartmontools in /etc/sysconfig/smartmontools
2. restart smartd

Comment 1 Mathieu Chouquet-Stringer 2018-05-15 20:00:15 UTC
Problem is still present in F28.

SELinux is preventing smartd from write access on the directory /var/lib.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow smartd to have write access on the lib directory
Then you need to change the label on /var/lib
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib'
where FILE_TYPE is one of the following: device_t, fsdaemon_tmp_t, fsdaemon_var_lib_t, fsdaemon_var_run_t, tmp_t, var_run_t.
Then execute:
restorecon -v '/var/lib'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that smartd should be allowed write access on the lib directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smartd' --raw | audit2allow -M my-smartd
# semodule -X 300 -i my-smartd.pp

Additional Information:
Source Context                system_u:system_r:fsdaemon_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib [ dir ]
Source                        smartd
Source Path                   smartd
Port                          <Unknown>
Host                          garbage
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     garbage
Platform                      Linux garbage 4.16.8-300.fc28.x86_64 #1 SMP Wed
                              May 9 20:23:40 UTC 2018 x86_64 x86_64
Alert Count                   497
First Seen                    2018-05-08 02:19:59 CEST
Last Seen                     2018-05-15 21:56:10 CEST
Local ID                      10c0736a-58f2-4efd-b81c-943682f6c019

Raw Audit Messages
type=AVC msg=audit(1526414170.225:143): avc:  denied  { write } for  pid=1853 comm="smartd" name="lib" dev="dm-0" ino=135944 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0

Comment 2 Fedora Update System 2018-05-24 14:36:40 UTC
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 3 Fedora Update System 2018-05-25 18:42:58 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 4 Mathieu Chouquet-Stringer 2018-05-26 00:14:37 UTC
Well I don't know if anything about that case was changed but it works without the new package.

I double checked what smartd does and read the man page again: the path must have a final / or smartd will try to create files under /var/lib/ if you give /var/lib/smartmontools as a parameter...

Please accept my apologies about that.

Either revert the changes you made for smartd or just resolve this bug.

Comment 5 Fedora Update System 2018-05-26 20:44:47 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.