Description of problem: smartd is not allowed to access block devices, i.e. a hdd or ssd, that is used by libvirt guests (scsi pool). It would be useful to do so in order to get notifications in case of a hard disk failure that is detected by SMART. libvirtd storage for /dev/sdc configuration in case it helps. <pool type='scsi'> <name>aoa</name> <uuid>26154d1b-7a0c-51ef-b541-0e5bcdf30907</uuid> <capacity unit='bytes'>0</capacity> <allocation unit='bytes'>0</allocation> <available unit='bytes'>0</available> <source> <adapter name='host2'/> </source> <target> <path>/dev/disk/by-id</path> <permissions> <mode>0700</mode> <owner>4294967295</owner> <group>4294967295</group> </permissions> </target> </pool> Additional info: libreport version: 2.0.18 kernel: 3.6.11-1.fc17.x86_64 description: :SELinux is preventing smartd from 'read' accesses on the blk_file sdc. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that smartd should be allowed read access on the sdc blk_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep smartd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:fsdaemon_t:s0 :Target Context system_u:object_r:svirt_image_t:s0:c90,c581 :Target Objects sdc [ blk_file ] :Source smartd :Source Path smartd :Port <Άγνωστο> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.10.0-161.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.11-1.fc17.x86_64 #1 SMP Mon : Dec 17 22:16:35 UTC 2012 x86_64 x86_64 :Alert Count 48 :First Seen 2013-01-06 11:48:57 EET :Last Seen 2013-01-07 11:18:56 EET :Local ID b9d7a7f2-360b-463c-bfcb-d8671bed3f84 : :Raw Audit Messages :type=AVC msg=audit(1357550336.769:446): avc: denied { read } for pid=857 comm="smartd" name="sdc" dev="devtmpfs" ino=6150 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c90,c581 tclass=blk_file : : :Hash: smartd,fsdaemon_t,svirt_image_t,blk_file,read : :audit2allow : :#============= fsdaemon_t ============== :allow fsdaemon_t svirt_image_t:blk_file read; : :audit2allow -R : :#============= fsdaemon_t ============== :allow fsdaemon_t svirt_image_t:blk_file read; :
Created attachment 673858 [details] File: type
Created attachment 673859 [details] File: hashmarkername
I guess we need to allow fsdaemon to read relabeled svirt_image_t. on /dev/ blk devices.
Backported.
selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17
Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.