thr3ads.net - CentOS - [CentOS] selinux + kvm virtualization + smartd problem [Jan 2013]

If this information is useful, please help other people find it:
Share via:

Ilyas --

2013-Jan-12 12:35 UTC

[CentOS] selinux + kvm virtualization + smartd problem

Hello,

I'm using HP homeserver where host system run CentOS 6.3 with KVM
virtualization with SELinux enabled, guests too run the same OS (but
without SELinux, but this does not matter).

Host system installed on mirrors based on sda and sdb physical disks.
sd{c..f} disks attached to KVM guest (whole disks, not partitions;
needed to use zfs (zfsonlinux) benefit features). Problem is that
disks (files in /dev) which attached to KVM guest has SELinux context
which inaccessible from context of smartd process.

[root at srv-1.home ~]# ls -laZ /dev/sd{a..f}
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf

[root at srv-1.home ~]# ps axwZ | grep smart[d]
system_u:system_r:fsdaemon_t:s0  1762 ?        S      0:00
/usr/sbin/smartd -q never

When I restarts smartd next messages appears in audit.log:
[root at srv-1.home ~]# tail -F /var/log/audit/audit.log   | grep type=AVC
type=AVC msg=audit(1357993548.964:8529): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sdc" dev=devtmpfs
ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993548.965:8530): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs
ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993548.966:8531): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs
ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993548.966:8532): avc:  denied  { getattr } for
 pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs
ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8533): avc:  denied  { read } for
pid=21321 comm="smartd" name="sdc" dev=devtmpfs ino=6327
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8534): avc:  denied  { read } for
pid=21321 comm="smartd" name="sdd" dev=devtmpfs ino=6321
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8535): avc:  denied  { read } for
pid=21321 comm="smartd" name="sde" dev=devtmpfs ino=6324
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
type=AVC msg=audit(1357993549.198:8536): avc:  denied  { read } for
pid=21321 comm="smartd" name="sdf" dev=devtmpfs ino=6330
scontext=unconfined_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file

I tried to create SELinux policy using audit2allow:
[root at srv-1.home ~]# cat /var/log/audit/audit.log | grep smartd |
audit2allow -M smartd_svirt_image
[root at srv-1.home ~]# semodule -i smartd_svirt_image.pp
but it not helped to solve problem.

How I can create permissive rule for selinux in my case?

Thank you.

-- 
GPG Key ID: 6EC5EB27

Gordon Messmer

2013-Jan-12 22:55 UTC

head link

[CentOS] selinux + kvm virtualization + smartd problem

On 01/12/2013 04:35 AM, Ilyas -- wrote:> [root at srv-1.home  ~]# cat /var/log/audit/audit.log | grep smartd |
> audit2allow -M smartd_svirt_image
> [root at srv-1.home  ~]# semodule -i smartd_svirt_image.pp
> but it not helped to solve problem.
>
> How I can create permissive rule for selinux in my case?
If you need to create your own rules, the first thing you need to do is 
capture the audit log, and set the system into permissive mode:

   tail -f /var/log/audit/audit.log
In a new terminal:
   setenforce permissive

Now, run the process that's generating AVCs.  Run through its standard 
operations.  When that's done, use all of the relevant AVCs that you 
captured through audit2why to make sure that there's not an existing 
boolean that can be flipped.  Assuming there isn't, run them through 
audit2allow -M.

Daniel J Walsh

2013-Jan-14 17:33 UTC

head link

[CentOS] selinux + kvm virtualization + smartd problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/12/2013 07:35 AM, Ilyas -- wrote:> Hello,
> 
> I'm using HP homeserver where host system run CentOS 6.3 with KVM 
> virtualization with SELinux enabled, guests too run the same OS (but 
> without SELinux, but this does not matter).
> 
> Host system installed on mirrors based on sda and sdb physical disks. 
> sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed
> to use zfs (zfsonlinux) benefit features). Problem is that disks (files in
> /dev) which attached to KVM guest has SELinux context which inaccessible
> from context of smartd process.
> 
> [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf
> 
> [root at srv-1.home ~]# ps axwZ | grep smart[d] 
> system_u:system_r:fsdaemon_t:s0  1762 ?        S      0:00 /usr/sbin/smartd
> -q never
> 
> When I restarts smartd next messages appears in audit.log: [root at
srv-1.home
> ~]# tail -F /var/log/audit/audit.log   | grep type=AVC type=AVC
> msg=audit(1357993548.964:8529): avc:  denied  { getattr } for pid=21321
> comm="smartd" path="/dev/sdc" dev=devtmpfs ino=6327 
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993548.965:8530): avc:  denied  { getattr } for 
> pid=21321 comm="smartd" path="/dev/sdd" dev=devtmpfs
ino=6321
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993548.966:8531): avc:  denied  { getattr } for 
> pid=21321 comm="smartd" path="/dev/sde" dev=devtmpfs
ino=6324
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993548.966:8532): avc:  denied  { getattr } for 
> pid=21321 comm="smartd" path="/dev/sdf" dev=devtmpfs
ino=6330
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8533): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sdc" dev=devtmpfs
ino=6327
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8534): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sdd" dev=devtmpfs
ino=6321
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8535): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sde" dev=devtmpfs
ino=6324
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file 
> type=AVC msg=audit(1357993549.198:8536): avc:  denied  { read } for 
> pid=21321 comm="smartd" name="sdf" dev=devtmpfs
ino=6330
> scontext=unconfined_u:system_r:fsdaemon_t:s0 
> tcontext=system_u:object_r:svirt_image_t:s0:c281,c675 tclass=blk_file
> 
> I tried to create SELinux policy using audit2allow: [root at srv-1.home ~]#
> cat /var/log/audit/audit.log | grep smartd | audit2allow -M
> smartd_svirt_image [root at srv-1.home ~]# semodule -i
smartd_svirt_image.pp
> but it not helped to solve problem.
> 
> How I can create permissive rule for selinux in my case?
> 
> Thank you.
> BTW This will be fixed in the RHEL6.4 version of policy.

Now if people would just pay for subscriptions...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD0QU0ACgkQrlYvE4MpobOOMACfQaJuZn+FZ9RQarjU8r8x0cdK
ch8AoJ1f/srOEgu6dTDKP2m8ow6mQ8ER
=cCad
-----END PGP SIGNATURE-----

Apparently Analagous Threads

Search for more seemingly similar threads

CentOS - Jan 2013 - selinux + kvm virtualization + smartd problem

[CentOS] selinux + kvm virtualization + smartd problem

[CentOS] selinux + kvm virtualization + smartd problem

[CentOS] selinux + kvm virtualization + smartd problem

Apparently Analagous Threads