Bug 637822 - selinux blocks /usr/share/smartmontools/driverdb.h from updated smartmontools
Summary: selinux blocks /usr/share/smartmontools/driverdb.h from updated smartmontools
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 637171 838063
TreeView+ depends on / blocked
 
Reported: 2010-09-27 14:33 UTC by Michal Hlavinka
Modified: 2012-07-06 11:24 UTC (History)
0 users

Fixed In Version: selinux-policy-3.7.19-65.fc13
Clone Of:
: 838063 (view as bug list)
Environment:
Last Closed: 2010-10-19 07:06:33 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Michal Hlavinka 2010-09-27 14:33:57 UTC 
Description of problem:
Smartmontools will be updated, they use new database file with known drivers, but selinux denies smartmontools using that file (located at /usr/share/smartmontools/driverdb.h )

Sep 27 16:26:33 nbone kernel: type=1400 audit(1285597593.357:22809): avc:  denied  { read } for  pid=24463 comm="smartd" name="drivedb.h" dev=sda5 ino=441868 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

Sep 27 16:26:33 nbone kernel: type=1400 audit(1285597593.357:22810): avc:  denied  { open } for  pid=24463 comm="smartd" name="drivedb.h" dev=sda5 ino=441868 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

Sep 27 16:26:33 nbone kernel: type=1400 audit(1285597593.357:22811): avc:  denied  { getattr } for  pid=24463 comm="smartd" path="/usr/share/smartmontools/drivedb.h" dev=sda5 ino=441868 scontext=unconfined_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

Sep 27 16:26:33 nbone smartd[24463]: smartd 5.40 (build date Sep 27 2010) [x86_64-unknown-linux-gnu] (local build)#012Copyright (C) 2002-10 by Bruce Allen, http://smartmontools.sourceforge.net#012




required for Rawhide, F-14 and F-13
Comment 1 Michal Hlavinka 2010-09-27 14:40:42 UTC 
smartctl does not seem to cause selinux denial

also there is new tool for updating that package /usr/sbin/update-smart-drivedb which seems to work fine

only smartd has this problem with selinux
Comment 2 Daniel Walsh 2010-09-27 14:44:50 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.9.5-8.fc14
Comment 3 Michal Hlavinka 2010-09-27 19:10:05 UTC 
> Fixed in selinux-policy-3.9.5-8.fc14

this change is required also in F-13
Comment 4 Fedora Update System 2010-10-04 19:35:29 UTC 
selinux-policy-3.9.5-10.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.5-10.fc14
Comment 5 Fedora Update System 2010-10-05 13:04:58 UTC 
selinux-policy-3.9.5-10.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Michal Hlavinka 2010-10-05 13:42:18 UTC 
(In reply to comment #3)
> > Fixed in selinux-policy-3.9.5-8.fc14
> 
> this change is required also in F-13

was it already fixed in F-13 or not yet?
Comment 7 Miroslav Grepl 2010-10-05 14:28:39 UTC 
Fixed in selinux-policy-3.7.19-64.fc13
Comment 8 Fedora Update System 2010-10-08 10:32:09 UTC 
selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
Comment 9 Fedora Update System 2010-10-08 20:48:38 UTC 
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
Comment 10 Fedora Update System 2010-10-19 07:05:29 UTC 
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.