View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016410 | CentOS-7 | selinux-policy | public | 2019-09-18 08:49 | 2022-05-28 10:36 |
Reporter | TuxHandwerker | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
OS Version | 7 | ||||
Summary | 0016410: SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0. | ||||
Description | Description of problem: Update to CentOS 7.7 SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es smartd standardmäßig erlaubt sein sollte, read Zugriff auf nvme0 chr_file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'smartd' --raw | audit2allow -M my-smartd # semodule -i my-smartd.pp Additional Information: Source Context system_u:system_r:fsdaemon_t:s0 Target Context system_u:object_r:nvme_device_t:s0 Target Objects nvme0 [ chr_file ] Source smartd Source Path /usr/sbin/smartd Port <Unknown> Host (removed) Source RPM Packages smartmontools-7.0-1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-252.el7.1.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 Alert Count 8 First Seen 2019-09-18 08:53:07 CEST Last Seen 2019-09-18 10:02:12 CEST Local ID 8902e268-6c0b-4a65-be8c-a46172186e44 Raw Audit Messages type=AVC msg=audit(1568793732.625:11): avc: denied { read } for pid=2185 comm="smartd" name="nvme0" dev="devtmpfs" ino=1404 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0 type=SYSCALL msg=audit(1568793732.625:11): arch=x86_64 syscall=open success=no exit=EACCES a0=562bf8e9dbc8 a1=800 a2=0 a3=562bf795add0 items=0 ppid=1 pid=2185 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smartd exe=/usr/sbin/smartd subj=system_u:system_r:fsdaemon_t:s0 key=(null) Hash: smartd,fsdaemon_t,nvme_device_t,chr_file,read Version-Release number of selected component: selinux-policy-3.13.1-252.el7.1.noarch | ||||
Additional Information | reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-1062.1.1.el7.x86_64 reproducible: Not sure how to reproduce the problem type: libreport | ||||
Tags | No tags attached. | ||||
abrt_hash | 0b597acc808ce3fc5bb3345c940a598b80e253c0853c81ccd1e1bd7cfa0535ee | ||||
URL | |||||
Another user experienced a similar problem: Not sure reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-1127.el7.x86_64 package: selinux-policy-3.13.1-266.el7.noarch reason: SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0. reproducible: Not sure how to reproduce the problem type: libreport |
|
Another user experienced a similar problem: Revently installed new SSD at /dev/nvme0 $ ls -lZ /dev/nvme* crw-------. root root system_u:object_r:nvme_device_t:s0 /dev/nvme0 brw-rw----. root disk system_u:object_r:nvme_device_t:s0 /dev/nvme0n1 Smartd should be allowed to read this device. Note: Device not yet partiioned and nothing installed on it. Just plugged in and did some tests to interrogate controller. ---------- Generated a local policy module to allow this access by executing: # ausearch -c 'smartd' --raw | audit2allow -M my-smartd # semodule -i my-smartd.pp reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-1160.53.1.el7.x86_64 package: selinux-policy-3.13.1-268.el7_9.2.noarch reason: SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0. reproducible: Not sure how to reproduce the problem type: libreport |
|
Confirm the problem still exists: - selinux-policy-3.13.1-268.el7_9.2 - selinux-policy-targeted-3.13.1-268.el7_9.2 I've resolved the problem by repeating several times: ausearch -c 'smartd' --raw | audit2allow -M my-smartd && semodule -i my-smartd.pp && systemctl restart smartd Finally I've got following my-smartd.te: module my-smartd3 1.0; require { type fsdaemon_t; type nvme_device_t; class blk_file { ioctl open read }; class chr_file { ioctl open read }; } #============= fsdaemon_t ============== #!!!! This avc is allowed in the current policy allow fsdaemon_t nvme_device_t:blk_file { ioctl open read }; allow fsdaemon_t nvme_device_t:chr_file ioctl; #!!!! This avc is allowed in the current policy allow fsdaemon_t nvme_device_t:chr_file { open read }; |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2019-09-18 08:49 | TuxHandwerker | New Issue | |
2020-05-04 07:15 | Jonathan Reznik | Note Added: 0036861 | |
2022-02-10 05:17 | rk-centosbug | Note Added: 0038852 | |
2022-05-28 10:36 | ashl1 | Note Added: 0038937 |