Package: selinux-policy-default Version: 2:2.20110726-12 Severity: normal Tags: patch
Relevant AVCs:
type=AVC msg=audit(1377282410.341:122237): avc: denied { append } for
pid=27404 comm="smartd"
name="attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv" dev=sda1
ino=29101470 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1377282410.341:122237): avc: denied { open } for
pid=27404 comm="smartd"
name="attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv" dev=sda1
ino=29101470 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1377282410.341:122237): arch=c000003e syscall=2
success=yes exit=3 a0=7cb1a8 a1=441 a2=1b6 a3=1 items=1 ppid=1 pid=27404 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=68253
comm="smartd" exe="/usr/sbin/smartd" subj=system_u:system_r:fsdaemon_t:s0
key=(null)
type=CWD msg=audit(1377282410.341:122237): cwd="/"
type=PATH msg=audit(1377282410.341:122237): item=0
name="/var/lib/smartmontools/attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv"
inode=29101470 dev=08:01 mode=0100640 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_lib_t:s0
type=AVC msg=audit(1377282410.341:122238): avc: denied { getattr } for
pid=27404 comm="smartd"
path="/var/lib/smartmontools/attrlog.Hitachi_HCS5C1050CLA382-JC0550HV2S8DGH.ata.csv"
dev=sda1 ino=29101470 scontext=system_u:system_r:fsdaemon_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
audit2allow says:
#============= fsdaemon_t ==============
#!!!! The source type 'fsdaemon_t' can write to a 'dir' of the following
types:
# fsdaemon_var_run_t, fsdaemon_tmp_t, tmp_t, var_run_t
allow fsdaemon_t var_lib_t:dir { write remove_name add_name };
#!!!! The source type 'fsdaemon_t' can write to a 'file' of the following
types:
# fsdaemon_var_run_t, fsdaemon_tmp_t
allow fsdaemon_t var_lib_t:file { rename write getattr create unlink open
append };
An untested quilt patch is attached.
-- System Information:
Debian Release: 7.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.3-7.1
ii libselinux1 2.1.9-5
ii libsepol1 2.1.4-3
ii policycoreutils 2.1.10-9
ii python 2.7.3-4
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.1.8-2
ii setools 3.3.7-3
Versions of packages selinux-policy-default suggests:
ii logcheck 1.3.15
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission
denied: u'/etc/selinux/default/modules/active/file_contexts.local'
/etc/selinux/default/modules/semanage.read.LOCK [Errno 13] Permission denied:
u'/etc/selinux/default/modules/semanage.read.LOCK'
/etc/selinux/default/modules/semanage.trans.LOCK [Errno 13] Permission denied:
u'/etc/selinux/default/modules/semanage.trans.LOCK'
-- debconf-show failed
--
Marius Gavrilescu
(main) Style used to be an interaction between the human soul and tools that
were limiting.In the digital era,it will have to come from the soul alone
--- a/policy/modules/services/smartmon.fc
+++ b/policy/modules/services/smartmon.fc
@@ -9,4 +9,4 @@
# /var
#
/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
-
+/var/lib/smartmontools(|/.*) -- gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -26,6 +26,9 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
+type fsdaemon_var_lib_t;
+files_type(fsdaemon_var_lib_t);
+
ifdef(`enable_mls',`
init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
')
@@ -48,6 +51,9 @@
manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
+manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
+
manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
signature.asc
Description: Digital signature
