View Issue Details

IDProjectCategoryView StatusLast Update
0016645CentOS-7selinux-policypublic2019-10-24 06:29
Reporterbugs.centos.org@elger.org 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0016645: SELinux is preventing /usr/sbin/smartd from 'ioctl' accesses on the chr_file /dev/nvme0.
DescriptionDescription of problem:
If you install smartmontools then (periodically) smartd wants to access your blockdevices

This generates a SELinux Alert
SELinux is preventing /usr/sbin/smartd from 'ioctl' accesses on the chr_file /dev/nvme0.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that smartd should be allowed ioctl access on the nvme0 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smartd' --raw | audit2allow -M my-smartd
# semodule -i my-smartd.pp

Additional Information:
Source Context system_u:system_r:fsdaemon_t:s0
Target Context system_u:object_r:nvme_device_t:s0
Target Objects /dev/nvme0 [ chr_file ]
Source smartd
Source Path /usr/sbin/smartd
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 3.10.0-1062.1.2.el7.x86_64 #1 SMP
                              Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64
Alert Count 319
First Seen 2019-10-07 08:39:04 CEST
Last Seen 2019-10-24 08:16:00 CEST
Local ID bbbe8cc7-e933-4860-9024-0880541fbd7b

Raw Audit Messages
type=AVC msg=audit(1571897760.413:455): avc: denied { ioctl } for pid=1564 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=8080 ioctlcmd=4e41 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1


Hash: smartd,fsdaemon_t,nvme_device_t,chr_file,ioctl

Version-Release number of selected component:
selinux-policy-3.13.1-252.el7.1.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1062.1.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash621a5b014dc85f0717fdc35e7c91c406509f971c31121803ed6ff1dc71e9439c
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-10-24 06:29 bugs.centos.org@elger.org New Issue