Re: selinux + kvm virtualization + smartd problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/12/2013 07:35 AM, Ilyas -- wrote:
> Hello,
> 
> I'm using HP homeserver where host system run CentOS 6.3 with KVM 
> virtualization with SELinux enabled, guests too run the same OS (but 
> without SELinux, but this does not matter).
> 
> Host system installed on mirrors based on sda and sdb physical disks. 
> sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed
> to use zfs (zfsonlinux) benefit features). Problem is that disks (files in
> /dev) which attached to KVM guest has SELinux context which inaccessible
> from context of smartd process.
> 
> [root@xxxxxxxxxx ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
> 
> [root@xxxxxxxxxx ~]# ps axwZ | grep smart[d] 
> system_u:system_r:fsdaemon_t:s0  1762 ?        S      0:00 /usr/sbin/smartd
> -q never
> 
> When I restarts smartd next messages appears in audit.log: [root@xxxxxxxxxx
> ~]# tail -F /var/log/audit/audit.log   | grep type=AVC type=AVC
> msg=audit(1357993548.964:8529): avc:  denied  { getattr } for pid=21321
> comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993548.965:8530): avc:  denied  { getattr } for 
> pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993548.966:8531): avc:  denied  { getattr } for 
> pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993548.966:8532): avc:  denied  { getattr } for 
> pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8533): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8534): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8535): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8536): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> 
> I tried to create SELinux policy using audit2allow: [root@xxxxxxxxxx ~]#
> cat /var/log/audit/audit.log | grep smartd | audit2allow -M
> smartd_svirt_image [root@xxxxxxxxxx ~]# semodule -i smartd_svirt_image.pp 
> but it not helped to solve problem.
> 
> How I can create permissive rule for selinux in my case?
> 
> Thank you.
> 
BTW This will be fixed in the RHEL6.4 version of policy.

Now if people would just pay for subscriptions...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD0QU0ACgkQrlYvE4MpobOOMACfQaJuZn+FZ9RQarjU8r8x0cdK
ch8AoJ1f/srOEgu6dTDKP2m8ow6mQ8ER
=cCad
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux