Description of problem: Followed previous documented process for labeling device entries but they do not survive reboots. Version-Release number of selected component (if applicable): 3.0.8-113.fc8 How reproducible: Reboot system Steps to Reproduce: 1. 2. 3. Actual results: Aug 17 13:44:13 douglas smartd[3059]: smartd version 5.38 [x86_64-redhat-linux-g nu] Copyright (C) 2002-8 Bruce Allen Aug 17 13:44:13 douglas smartd[3059]: Home page is http://smartmontools.sourcefo rge.net/#012 Aug 17 13:44:13 douglas smartd[3059]: Opened configuration file /etc/smartd.conf Aug 17 13:44:13 douglas smartd[3059]: Configuration file /etc/smartd.conf parsed . Aug 17 13:44:13 douglas smartd[3059]: Device: /dev/twa0 [3ware_disk_00], File ex ists, open() failed Aug 17 13:44:13 douglas smartd[3059]: Unable to register ATA device /dev/twa0 [3 ware_disk_00] at line 31 of file /etc/smartd.conf Aug 17 13:44:13 douglas smartd[3059]: Device /dev/twa0 [3ware_disk_00] not avail able Aug 17 13:44:13 douglas smartd[3059]: Monitoring 0 ATA and 0 SCSI devices Aug 17 13:44:13 douglas smartd[3062]: smartd has fork()ed into background mode. New PID=3062. Aug 17 13:44:14 douglas setroubleshoot: SELinux is preventing smartd (fsdaemon_t ) "getattr" access to device /dev/twa0. For complete SELinux messages. run seale rt -l b3042a02-98ad-427c-8c8b-15b89e80edfd sealert -l b3042a02-98ad-427c-8c8b-15b89e80edfd Summary: SELinux is preventing smartd (fsdaemon_t) "getattr" access to device /dev/twa0. Detailed Description: SELinux has denied the smartd (fsdaemon_t) "getattr" access to device /dev/twa0. /dev/twa0 is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v '/dev/twa0'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for /dev/twa0, you can use chcon -t SIMILAR_TYPE '/dev/twa0', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/twa0' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this application. Allowing Access: Attempt restorecon -v '/dev/twa0' or chcon -t SIMILAR_TYPE '/dev/twa0' Additional Information: Source Context system_u:system_r:fsdaemon_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects /dev/twa0 [ chr_file ] Source smartd Source Path /usr/sbin/smartd Port <Unknown> Host douglas Source RPM Packages smartmontools-5.38-1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-113.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name device Host Name douglas Platform Linux douglas 2.6.25.14-69.fc8 #1 SMP Mon Aug 4 14:00:45 EDT 2008 x86_64 x86_64 Alert Count 22 First Seen Thu Jul 3 15:51:04 2008 Last Seen Sun Aug 17 13:44:13 2008 Local ID b3042a02-98ad-427c-8c8b-15b89e80edfd Line Numbers Raw Audit Messages host=douglas type=AVC msg=audit(1219005853.726:9): avc: denied { getattr } for pid=3059 comm="smartd" path="/dev/twa0" dev=tmpfs ino=7942 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file host=douglas type=SYSCALL msg=audit(1219005853.726:9): arch=c000003e syscall=4 success=no exit=-13 a0=7fff3db47c60 a1=7fff3db47b90 a2=7fff3db47b90 a3=439cda items=0 ppid=3058 pid=3059 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smartd" exe="/usr/sbin/smartd" subj=system_u:system_r:fsdaemon_t:s0 key=(null) Expected results: Additional info: I tried the sealert recommendation it does not work across reboots. Adding the following to the /etc/rc.local file is a work around: chcon -v -t fixed_disk_device_t /dev/twa[0-9]* service smartd restart
This is a bug in the smart or raid tools for not creating the device with the correct context. If you run restorecon /dev/tw* It will fix the context, so the machine knows the correct context. Most devices on the machine are created by udev, which creates them with the correct context. You could add the restorecon to your init scripts after the device is created, until you get a fix from those tools. *** This bug has been marked as a duplicate of bug 232218 ***