View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016645 | CentOS-7 | selinux-policy | public | 2019-10-24 06:29 | 2022-05-28 10:32 |
Reporter | bugs.centos.org@elger.org | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
OS Version | 7 | ||||
Summary | 0016645: SELinux is preventing /usr/sbin/smartd from 'ioctl' accesses on the chr_file /dev/nvme0. | ||||
Description | Description of problem: If you install smartmontools then (periodically) smartd wants to access your blockdevices This generates a SELinux Alert SELinux is preventing /usr/sbin/smartd from 'ioctl' accesses on the chr_file /dev/nvme0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smartd should be allowed ioctl access on the nvme0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smartd' --raw | audit2allow -M my-smartd # semodule -i my-smartd.pp Additional Information: Source Context system_u:system_r:fsdaemon_t:s0 Target Context system_u:object_r:nvme_device_t:s0 Target Objects /dev/nvme0 [ chr_file ] Source smartd Source Path /usr/sbin/smartd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-252.el7.1.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64 Alert Count 319 First Seen 2019-10-07 08:39:04 CEST Last Seen 2019-10-24 08:16:00 CEST Local ID bbbe8cc7-e933-4860-9024-0880541fbd7b Raw Audit Messages type=AVC msg=audit(1571897760.413:455): avc: denied { ioctl } for pid=1564 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=8080 ioctlcmd=4e41 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1 Hash: smartd,fsdaemon_t,nvme_device_t,chr_file,ioctl Version-Release number of selected component: selinux-policy-3.13.1-252.el7.1.noarch | ||||
Additional Information | reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-1062.1.2.el7.x86_64 reproducible: Not sure how to reproduce the problem type: libreport | ||||
Tags | No tags attached. | ||||
abrt_hash | 621a5b014dc85f0717fdc35e7c91c406509f971c31121803ed6ff1dc71e9439c | ||||
URL | |||||
Was able to reproduce: # cat /etc/smartmontools/smartd.conf DEVICESCAN -H -m root -n standby,48,q -s L/../01/./08 # ps x|grep smar[t] <...> /usr/sbin/smartd -n -q never # grep NVMe /var/log/messages smartd[...]: Monitoring 14 ATA/SATA, 0 SCSI/SAS and 0 NVMe devices # grep nvme /var/log/audit/audit.log type=AVC msg=audit(...): avc: denied { read } for pid=3199129 comm="smartd" name="nvme0" dev="devtmpfs" ino=11302 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0 type=PATH msg=audit(...): item=0 name="/dev/nvme0" inode=11302 dev=00:05 mode=020600 ouid=0 ogid=0 rdev=f3:00 obj=system_u:object_r:nvme_device_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root" t Also, possible duplicate on fedora tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1530018 |
|
what does `rpm -q smartmontools selinux-policy` say? | |
Here's the info: # rpm -q smartmontools selinux-policy smartmontools-7.0-1.el7.x86_64 selinux-policy-3.13.1-252.el7_7.6.noarch The system was upgraded and rebooted recently. No packages marked for update |
|
I have a newer smartmontools installed : smartmontools-7.0-1.el7_7.1.x86_64 I would suggest updating to see if it helps. |
|
Sorry, my bad. Our repo was stalled. Upgraded now: # rpm -q smartmontools selinux-policy smartmontools-7.0-1.el7_7.1.x86_64 selinux-policy-3.13.1-252.el7_7.6.noarch Issue remains: smartd[...]: Monitoring 14 ATA/SATA, 0 SCSI/SAS and 0 NVMe devices /var/log/audit/audit.log: type=AVC msg=audit(...): avc: denied { read } for pid=3327865 comm="smartd" name="nvme0" dev="devtmpfs" ino=11302 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0 type=PATH msg=audit(...): item=0 name="/dev/nvme0" inode=11302 dev=00:05 mode=020600 ouid=0 ogid=0 rdev=f3:00 obj=system_u:object_r:nvme_device_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root" |
|
This is dup of #16410 | |
Date Modified | Username | Field | Change |
---|---|---|---|
2019-10-24 06:29 | bugs.centos.org@elger.org | New Issue | |
2020-02-11 09:57 | vytenis | Note Added: 0036257 | |
2020-02-11 10:39 | TrevorH | Note Added: 0036258 | |
2020-02-11 11:00 | vytenis | Note Added: 0036259 | |
2020-02-11 11:05 | TrevorH | Note Added: 0036260 | |
2020-02-11 11:43 | vytenis | Note Added: 0036262 | |
2022-05-28 10:32 | ashl1 | Note Added: 0038936 |