[DSE-Dev] Bug#720631: selinux-policy-default: smartd cannot access /var/lib/smartmontools

Sat Aug 24 07:26:06 UTC 2013

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal
Tags: patch

Relevant AVCs:

    type=AVC msg=audit(1377282410.341:122237): avc:  denied  { append } for  pid=27404 comm="smartd" name="attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv" dev=sda1 ino=29101470 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
    type=AVC msg=audit(1377282410.341:122237): avc:  denied  { open } for  pid=27404 comm="smartd" name="attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv" dev=sda1 ino=29101470 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
    type=SYSCALL msg=audit(1377282410.341:122237): arch=c000003e syscall=2 success=yes exit=3 a0=7cb1a8 a1=441 a2=1b6 a3=1 items=1 ppid=1 pid=27404 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=68253 comm="smartd" exe="/usr/sbin/smartd" subj=system_u:system_r:fsdaemon_t:s0 key=(null)
    type=CWD msg=audit(1377282410.341:122237):  cwd="/"
    type=PATH msg=audit(1377282410.341:122237): item=0 name="/var/lib/smartmontools/attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv" inode=29101470 dev=08:01 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0
    type=AVC msg=audit(1377282410.341:122238): avc:  denied  { getattr } for  pid=27404 comm="smartd" path="/var/lib/smartmontools/attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv" dev=sda1 ino=29101470 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

audit2allow says:

    #============= fsdaemon_t ==============
    #!!!! The source type 'fsdaemon_t' can write to a 'dir' of the following types:
    # fsdaemon_var_run_t, fsdaemon_tmp_t, tmp_t, var_run_t

    allow fsdaemon_t var_lib_t:dir { write remove_name add_name };
    #!!!! The source type 'fsdaemon_t' can write to a 'file' of the following types:
    # fsdaemon_var_run_t, fsdaemon_tmp_t

    allow fsdaemon_t var_lib_t:file { rename write getattr create unlink open append };

An untested quilt patch is attached.

-- System Information:
Debian Release: 7.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
ii  logcheck        1.3.15
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'
/etc/selinux/default/modules/semanage.read.LOCK [Errno 13] Permission denied: u'/etc/selinux/default/modules/semanage.read.LOCK'
/etc/selinux/default/modules/semanage.trans.LOCK [Errno 13] Permission denied: u'/etc/selinux/default/modules/semanage.trans.LOCK'

-- debconf-show failed

-- 
Marius Gavrilescu
(main) Style used to be an interaction between the human soul and tools that were limiting.In the digital era,it will have to come from the soul alone
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0350-Let-smartmontools-access-its-var-lib-directory.patch
Type: text/x-diff
Size: 1028 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130824/add5558f/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20130824/add5558f/attachment.sig>