Description of problem: Summary SELinux is preventing /usr/sbin/smartd (fsdaemon_t) "getattr" access to device /dev/twa0. Detailed Description SELinux has denied the /usr/sbin/smartd (fsdaemon_t) "getattr" access to device /dev/twa0. /dev/twa0 is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v /dev/twa0. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for /dev/twa0, you can use chcon -t SIMILAR_TYPE /dev/twa0, If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/twa0 If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results:Source Context system_u:system_r:fsdaemon_t Target Context system_u:object_r:device_t Target Objects /dev/twa0 [ chr_file ] Affected RPM Packages smartmontools-5.36-3.1.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.device Additional info:
restorecon -v /dev/twa0 fails to change the context. chcon -t system_u:object_r:fixed_disk_device_t /dev/twa0 yields chcon: couldn't compute security context from system_u:object_r:device_t The device is used by 3ware RAID controller.
chcon -t fixed_disk_device_t /dev/twa0
I believe this is fixed in the u1 policy. You can grab a preview at http://people.redhat.com/dwalsh/SELinux/RHEL5/u1 Fixed in selinux-policy-2.4.6-71
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Could you try the new policy available at the link below and reply whether the new packages solve your problem. Thank you. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html