Description of problem: I'm monitoring some disks on a Megaraid controller using smartd, but I'm hitting selinux limits such as the following: # audit2why -b type=AVC msg=audit(1329459841.923:19): avc: denied { create } for pid=937 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file # audit2allow -b #============= fsdaemon_t ============== allow fsdaemon_t device_t:chr_file create; Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-75 How reproducible: Always with selinux enabled Steps to Reproduce: 1. install megaraid controller with disks attached. 2. configure smartd.conf for a disk on controller, such as '/dev/sdc -d sat+megaraid,8 ...' 3. start smartd Actual results: /dev/megaraid_sas_ioctl_node cannot be created by smartd. Expected results: /dev/megaraid_sas_ioctl_node should have selinux type fixed_disk_device_t, so that smartd can read/write etc the device Additional info: With selinux in permissive (so /dev/megaraid_sas_ioctl_node is created), I add the following: semanage fcontext -a -t fixed_disk_device_t /dev/megaraid_sas_ioctl_node and restorecon -r /dev. However, after a fresh boot, /dev/megaraid_sas_ioctl_node is created with a type of device_t even with the local configuration above. Also, /dev/megaraid_sas_ioctl_node has an access of 000, which even though it's only read/write by root, is probably incorrect (may be separate bug). Entry after reboot: ls -lZ /dev/megaraid_sas_ioctl_node c---------. root root system_u:object_r:device_t:s0 /dev/megaraid_sas_ioctl_node With the above configuration, the original problem still occurs with selinux in enforcing mode (ie, /dev/megaraid_sas_ioctl_node cannot be created).
I am adding fixes to F16, F17.
Actually, Dan has already added it to F17. Backporting.
Has this already been put in testing? I've installed selinux-policy-targeted-3.10.0-78 from testing and found the following entry in /etc/selinux/targeted/contexts/files/file_contexts: /dev/megaraid_sas_ioctl_node -c system_u:object_r:fixed_disk_device_t:s0 However, if I reboot and allow smartd to start fresh, I still get an audit error: avc: denied { create } for pid=930 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Not sure why the tcontext is still device_t with the above rule active, but perhaps file creation uses different rules to determine access?
Could you test it with the latest build rpms: http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/79.fc16/noarch/selinux-policy-3.10.0-79.fc16.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/79.fc16/noarch/selinux-policy-targeted-3.10.0-79.fc16.noarch.rpm
Just installed the rpms above, and rebooted. Still get exactly the same denial in comment 3...
9ec650cf1666a2374ce4d29449456cc39062dd47 fixes this problem. You are only transitioning on blk file not chr_file.
selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
Installed 3.10.0-80 and rebooted. Still same denial: avc: denied { create } for pid=902 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
Let's me check it.
Package selinux-policy-3.10.0-80.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 then log in and leave karma (feedback).
Since this is the same package as the one listed in comment #7, and has the problems listed in comment #8, it clearly does not fix the bug. The issue remains open I guess...
Yes, it does not.
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Not sure why this was closed, as mentioned above, the bug is NOT fixed in 3.10.0-80
I did not remove the bug from this update in the bodhi.
I have just found a bug. Fixed in selinux-policy-3.10.0-82.fc16
Updated to 3.10.0-82, and still receive: audit(1334466632.639:4): avc: denied { create } for pid=872 comm="smartd" name="megaraid_sas_ioctl_node" scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Note also that 'audit2allow -b' and 'audit2why -b' are both broken in -82... not sure if it's related (they show no output even though the above error is in /var/log/messages).
It works for me with -83.fc16 which is now building. # runcon -u system_u -r system_r -t initrc_t -- runcon -t fsdaemon_t -- mknod /dev/megaraid_sas_ioctl_node c <major> <minor> # ls -Z /dev/megaraid_sas_ioctl_node crw-r--r--. root root system_u:object_r:fixed_disk_device_t:s0 /dev/megaraid_sas_ioctl_node
Installed -83, and it finally works :) I couldn't test with the above in enforcing (denied { entrypoint } comm="runcon" path="/bin/mknod"), but that's not really important... smartd can now correctly create and use the device. Looking forward to giving the release karma. :)
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.