View Issue Details

IDProjectCategoryView StatusLast Update
0016410CentOS-7selinux-policypublic2022-05-28 10:36
ReporterTuxHandwerker Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
OS Version7 
Summary0016410: SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0.
DescriptionDescription of problem:
Update to CentOS 7.7
SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0.

***** Plugin catchall (100. confidence) suggests **************************

Wenn Sie denken, dass es smartd standardmäßig erlaubt sein sollte, read Zugriff auf nvme0 chr_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
allow this access for now by executing:
# ausearch -c 'smartd' --raw | audit2allow -M my-smartd
# semodule -i my-smartd.pp

Additional Information:
Source Context system_u:system_r:fsdaemon_t:s0
Target Context system_u:object_r:nvme_device_t:s0
Target Objects nvme0 [ chr_file ]
Source smartd
Source Path /usr/sbin/smartd
Port <Unknown>
Host (removed)
Source RPM Packages smartmontools-7.0-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1062.1.1.el7.x86_64 #1 SMP
                              Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64
Alert Count 8
First Seen 2019-09-18 08:53:07 CEST
Last Seen 2019-09-18 10:02:12 CEST
Local ID 8902e268-6c0b-4a65-be8c-a46172186e44

Raw Audit Messages
type=AVC msg=audit(1568793732.625:11): avc: denied { read } for pid=2185 comm="smartd" name="nvme0" dev="devtmpfs" ino=1404 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1568793732.625:11): arch=x86_64 syscall=open success=no exit=EACCES a0=562bf8e9dbc8 a1=800 a2=0 a3=562bf795add0 items=0 ppid=1 pid=2185 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=smartd exe=/usr/sbin/smartd subj=system_u:system_r:fsdaemon_t:s0 key=(null)

Hash: smartd,fsdaemon_t,nvme_device_t,chr_file,read

Version-Release number of selected component:
selinux-policy-3.13.1-252.el7.1.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1062.1.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash0b597acc808ce3fc5bb3345c940a598b80e253c0853c81ccd1e1bd7cfa0535ee
URL

Activities

Jonathan Reznik

Jonathan Reznik

2020-05-04 07:15

reporter   ~0036861

Another user experienced a similar problem:

Not sure

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1127.el7.x86_64
package: selinux-policy-3.13.1-266.el7.noarch
reason: SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0.
reproducible: Not sure how to reproduce the problem
type: libreport
rk-centosbug

rk-centosbug

2022-02-10 05:17

reporter   ~0038852

Another user experienced a similar problem:

Revently installed new SSD at /dev/nvme0
$ ls -lZ /dev/nvme*
crw-------. root root system_u:object_r:nvme_device_t:s0 /dev/nvme0
brw-rw----. root disk system_u:object_r:nvme_device_t:s0 /dev/nvme0n1

Smartd should be allowed to read this device.

Note: Device not yet partiioned and nothing installed on it. Just plugged in and did some tests to interrogate controller.

----------

Generated a local policy module to allow this access by executing:
# ausearch -c 'smartd' --raw | audit2allow -M my-smartd
# semodule -i my-smartd.pp




reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1160.53.1.el7.x86_64
package: selinux-policy-3.13.1-268.el7_9.2.noarch
reason: SELinux is preventing /usr/sbin/smartd from 'read' accesses on the chr_file nvme0.
reproducible: Not sure how to reproduce the problem
type: libreport
ashl1

ashl1

2022-05-28 10:36

reporter   ~0038937

Confirm the problem still exists:
- selinux-policy-3.13.1-268.el7_9.2
- selinux-policy-targeted-3.13.1-268.el7_9.2

I've resolved the problem by repeating several times:
ausearch -c 'smartd' --raw | audit2allow -M my-smartd && semodule -i my-smartd.pp && systemctl restart smartd

Finally I've got following my-smartd.te:
module my-smartd3 1.0;

require {
        type fsdaemon_t;
        type nvme_device_t;
        class blk_file { ioctl open read };
        class chr_file { ioctl open read };
}

#============= fsdaemon_t ==============

#!!!! This avc is allowed in the current policy
allow fsdaemon_t nvme_device_t:blk_file { ioctl open read };
allow fsdaemon_t nvme_device_t:chr_file ioctl;

#!!!! This avc is allowed in the current policy
allow fsdaemon_t nvme_device_t:chr_file { open read };

Issue History

Date Modified Username Field Change
2019-09-18 08:49 TuxHandwerker New Issue
2020-05-04 07:15 Jonathan Reznik Note Added: 0036861
2022-02-10 05:17 rk-centosbug Note Added: 0038852
2022-05-28 10:36 ashl1 Note Added: 0038937