Dear Daniel, > BTW This will be fixed in the RHEL6.4 version of policy. is new policy already available in rhel6.4? On Mon, Jan 14, 2013 at 9:33 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2013 07:35 AM, Ilyas -- wrote: >> Hello, >> >> I'm using HP homeserver where host system run CentOS 6.3 with KVM >> virtualization with SELinux enabled, guests too run the same OS (but >> without SELinux, but this does not matter). >> >> Host system installed on mirrors based on sda and sdb physical disks. >> sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed >> to use zfs (zfsonlinux) benefit features). Problem is that disks (files in >> /dev) which attached to KVM guest has SELinux context which inaccessible >> from context of smartd process. >> >> [root@xxxxxxxxxx ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk >> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk >> system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu >> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf >> >> [root@xxxxxxxxxx ~]# ps axwZ | grep smart[d] >> system_u:system_r:fsdaemon_t:s0 1762 ? S 0:00 /usr/sbin/smartd >> -q never >> >> When I restarts smartd next messages appears in audit.log: [root@xxxxxxxxxx >> ~]# tail -F /var/log/audit/audit.log | grep type=AVC type=AVC >> msg=audit(1357993548.964:8529): avc: denied { getattr } for pid=21321 >> comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993548.965:8530): avc: denied { getattr } for >> pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs ino=6321 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993548.966:8531): avc: denied { getattr } for >> pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs ino=6324 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993548.966:8532): avc: denied { getattr } for >> pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs ino=6330 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8533): avc: denied { read } for >> pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8534): avc: denied { read } for >> pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8535): avc: denied { read } for >> pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> type=AVC msg=audit(1357993549.198:8536): avc: denied { read } for >> pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330 >> scontext=unconfined_u:system_r:fsdaemon_t:s0 >> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file >> >> I tried to create SELinux policy using audit2allow: [root@xxxxxxxxxx ~]# >> cat /var/log/audit/audit.log | grep smartd | audit2allow -M >> smartd_svirt_image [root@xxxxxxxxxx ~]# semodule -i smartd_svirt_image.pp >> but it not helped to solve problem. >> >> How I can create permissive rule for selinux in my case? >> >> Thank you. >> > BTW This will be fixed in the RHEL6.4 version of policy. > > Now if people would just pay for subscriptions... > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlD0QU0ACgkQrlYvE4MpobOOMACfQaJuZn+FZ9RQarjU8r8x0cdK > ch8AoJ1f/srOEgu6dTDKP2m8ow6mQ8ER > =cCad > -----END PGP SIGNATURE----- > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos -- GPG Key ID: 6EC5EB27 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos