View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0016645CentOS-7selinux-policypublic2019-10-24 06:292020-02-11 11:43
Reporterbugs.centos.org@elger.org 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0016645: SELinux is preventing /usr/sbin/smartd from 'ioctl' accesses on the chr_file /dev/nvme0.
DescriptionDescription of problem:
If you install smartmontools then (periodically) smartd wants to access your blockdevices

This generates a SELinux Alert
SELinux is preventing /usr/sbin/smartd from 'ioctl' accesses on the chr_file /dev/nvme0.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that smartd should be allowed ioctl access on the nvme0 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smartd' --raw | audit2allow -M my-smartd
# semodule -i my-smartd.pp

Additional Information:
Source Context system_u:system_r:fsdaemon_t:s0
Target Context system_u:object_r:nvme_device_t:s0
Target Objects /dev/nvme0 [ chr_file ]
Source smartd
Source Path /usr/sbin/smartd
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 3.10.0-1062.1.2.el7.x86_64 #1 SMP
                              Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64
Alert Count 319
First Seen 2019-10-07 08:39:04 CEST
Last Seen 2019-10-24 08:16:00 CEST
Local ID bbbe8cc7-e933-4860-9024-0880541fbd7b

Raw Audit Messages
type=AVC msg=audit(1571897760.413:455): avc: denied { ioctl } for pid=1564 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=8080 ioctlcmd=4e41 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=1


Hash: smartd,fsdaemon_t,nvme_device_t,chr_file,ioctl

Version-Release number of selected component:
selinux-policy-3.13.1-252.el7.1.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1062.1.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash621a5b014dc85f0717fdc35e7c91c406509f971c31121803ed6ff1dc71e9439c
URL

Activities

vytenis

vytenis

2020-02-11 09:57

reporter   ~0036257

Was able to reproduce:

# cat /etc/smartmontools/smartd.conf
DEVICESCAN -H -m root -n standby,48,q -s L/../01/./08

# ps x|grep smar[t]
<...> /usr/sbin/smartd -n -q never

# grep NVMe /var/log/messages
smartd[...]: Monitoring 14 ATA/SATA, 0 SCSI/SAS and 0 NVMe devices

# grep nvme /var/log/audit/audit.log
type=AVC msg=audit(...): avc: denied { read } for pid=3199129 comm="smartd" name="nvme0" dev="devtmpfs" ino=11302 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0
type=PATH msg=audit(...): item=0 name="/dev/nvme0" inode=11302 dev=00:05 mode=020600 ouid=0 ogid=0 rdev=f3:00 obj=system_u:object_r:nvme_device_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root"
t

Also, possible duplicate on fedora tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1530018
TrevorH

TrevorH

2020-02-11 10:39

manager   ~0036258

what does `rpm -q smartmontools selinux-policy` say?
vytenis

vytenis

2020-02-11 11:00

reporter   ~0036259

Here's the info:

# rpm -q smartmontools selinux-policy
smartmontools-7.0-1.el7.x86_64
selinux-policy-3.13.1-252.el7_7.6.noarch

The system was upgraded and rebooted recently. No packages marked for update
TrevorH

TrevorH

2020-02-11 11:05

manager   ~0036260

I have a newer smartmontools installed : smartmontools-7.0-1.el7_7.1.x86_64

I would suggest updating to see if it helps.
vytenis

vytenis

2020-02-11 11:43

reporter   ~0036262

Sorry, my bad. Our repo was stalled. Upgraded now:

# rpm -q smartmontools selinux-policy
smartmontools-7.0-1.el7_7.1.x86_64
selinux-policy-3.13.1-252.el7_7.6.noarch

Issue remains:

smartd[...]: Monitoring 14 ATA/SATA, 0 SCSI/SAS and 0 NVMe devices

/var/log/audit/audit.log:
type=AVC msg=audit(...): avc: denied { read } for pid=3327865 comm="smartd" name="nvme0" dev="devtmpfs" ino=11302 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0
type=PATH msg=audit(...): item=0 name="/dev/nvme0" inode=11302 dev=00:05 mode=020600 ouid=0 ogid=0 rdev=f3:00 obj=system_u:object_r:nvme_device_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0OUID="root" OGID="root"

Issue History

Date Modified Username Field Change
2019-10-24 06:29 bugs.centos.org@elger.org New Issue
2020-02-11 09:57 vytenis Note Added: 0036257
2020-02-11 10:39 TrevorH Note Added: 0036258
2020-02-11 11:00 vytenis Note Added: 0036259
2020-02-11 11:05 TrevorH Note Added: 0036260
2020-02-11 11:43 vytenis Note Added: 0036262