selinux denials on 3ware RAID SMART check
By tux • Sep 4th, 2009 • Category: Linux, Selinux, StorageIf you have a selinux enabled linux machine and is using smartd to check hard drives connected to 3ware RAID controller, you may encounter with couple of denials as below,
kernel: type=1400 audit(1252046658.420:122): avc: denied { ioctl } for pid=28988 comm=”smartd” path=”/dev/twa0″ dev=tmpfs ino=7729 scontext=root:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
kernel: type=1400 audit(1252049165.256:123): avc: denied { getattr } for pid=18264 comm=”smartd” path=”/dev/twa0″ dev=tmpfs ino=7729 scontext=user_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
kernel: type=1400 audit(1252049165.258:124): avc: denied { read } for pid=18264 comm=”smartd” name=”twa0″ dev=tmpfs ino=7729 scontext=user_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
kernel: type=1400 audit(1252049165.258:125): avc: denied { ioctl } for pid=18264 comm=”smartd” path=”/dev/twa0″ dev=tmpfs ino=7729 scontext=user_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
For default the 3ware RAID controller device /dev/twa0 will be having generic filecontext for /dev which is device_t. But smartd runs under context fsdaemon_t, which do not have access to object type device_t.
So you need to relabel /dev/twa0 as below,
chcon -t fixed_disk_device_t /dev/twa*
Conclusion:
fsdaemon_t can operate on object types fixed_disk_device_t
tux is
Email this author | All posts by tux