Bug 240383 - SELinux prevents smartd access to device /dev/twa0
Summary: SELinux prevents smartd access to device /dev/twa0
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted   
(Show other bugs)
Version: 5.0
Hardware: i686 Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: OtherQA
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-16 21:49 UTC by John Ballard
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 16:39:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description John Ballard 2007-05-16 21:49:49 UTC
Description of problem:
    SELinux is preventing /usr/sbin/smartd (fsdaemon_t) "getattr" access to
    device /dev/twa0.

Detailed Description
    SELinux has denied the /usr/sbin/smartd (fsdaemon_t) "getattr" access to
    device /dev/twa0. /dev/twa0 is mislabeled, this device has the default label
    of the /dev directory, which should not happen.  All Character and/or Block
    Devices should have a label. You can attempt to change the label of the file
    using restorecon -v /dev/twa0. If this device remains labeled device_t, then
    this is a bug in SELinux policy. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
    package. If you look at the other similar devices labels, ls -lZ
    /dev/SIMILAR, and find a type that would work for /dev/twa0, you can use
    chcon -t SIMILAR_TYPE /dev/twa0, If this fixes the problem, you can make
    this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/twa0
    If the restorecon changes the context, this indicates that the application
    that created the device, created it without using SELinux APIs.  If you can
    figure out which application created the device, please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:Source Context                system_u:system_r:fsdaemon_t
Target Context                system_u:object_r:device_t
Target Objects                /dev/twa0 [ chr_file ]
Affected RPM Packages         smartmontools-5.36-3.1.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.device

Additional info:

Comment 1 John Ballard 2007-05-16 21:57:08 UTC
restorecon -v /dev/twa0 fails to change the context.

chcon -t system_u:object_r:fixed_disk_device_t /dev/twa0
chcon: couldn't compute security context from system_u:object_r:device_t
The device is used by 3ware RAID controller.

Comment 2 Daniel Walsh 2007-05-16 22:08:27 UTC
chcon -t fixed_disk_device_t /dev/twa0

Comment 3 Daniel Walsh 2007-05-16 22:11:16 UTC
I believe this is fixed in the u1 policy.  You can grab a preview at

Fixed in selinux-policy-2.4.6-71

Comment 5 RHEL Product and Program Management 2007-05-18 16:24:06 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 8 Eduard Benes 2007-08-22 11:20:41 UTC
Could you try the new policy available at the link below and reply 
whether the new packages solve your problem. Thank you.


Comment 10 errata-xmlrpc 2007-11-07 16:39:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.