stable

smartmontools-7.2-10.fc33

FEDORA-2021-29bd7c851f created by mhlavink 3 years ago for Fedora 33

update selinux policy for NVMe devices

Reboot Required
After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2021-29bd7c851f

This update has been submitted for testing by mhlavink.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago

This update's test gating status has been changed to 'waiting'.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago
User Icon gtwilliams commented & provided feedback 3 years ago

Daemon (re)starts successfully, but bug is still present.

BZ#1990463 SELinux is preventing smartd from getattr access on the chr_file /dev/nvme1.

This update has been pushed to testing.

3 years ago

mhlavink edited this update.

3 years ago
User Icon mandree commented & provided feedback 3 years ago

Update including smartmontools-selinux does not fix the bug on Fedora 33. $ rpm -qa smartmontools* smartmontools-7.2-9.fc33.x86_64 smartmontools-selinux-7.2-9.fc33.noarch

$ systemctl restart smartd ... open se troubleshooter:

Additional Information: Source Context system_u:system_r:fsdaemon_t:s0 Target Context system_u:object_r:nvme_device_t:s0 Target Objects /dev/nvme0 [ chr_file ] Source smartd Source Path smartd Port <Unbekannt> Host (removed) Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.6-39.fc33.noarch Local Policy RPM smartmontools-selinux-7.2-9.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.13.9-100.fc33.x86_64 #1 SMP Mon Aug 9 12:04:50 UTC 2021 x86_64 x86_64 Alert Count 5 First Seen 2021-08-18 18:21:40 CEST Last Seen 2021-08-19 12:38:12 CEST Local ID 017c8780-b33a-44e1-a91a-f3796dff268f

Raw Audit Messages type=AVC msg=audit(1629369492.549:154347): avc: denied { open } for pid=576249 comm="smartd" path="/dev/nvme0" dev="devtmpfs" ino=328 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0

BZ#1990463 SELinux is preventing smartd from getattr access on the chr_file /dev/nvme1.
karma
User Icon ralston commented & provided feedback 3 years ago

What @mandree said: while the update is functional, it doesn’t resolve the SELinux issues. If I update to smartmontools-selinux-7.2-9.fc33, and then disable my custom smartmon-bz1990463 SELinux module, the same avc denials return.

BZ#1990463 SELinux is preventing smartd from getattr access on the chr_file /dev/nvme1.

mhlavink edited this update.

New build(s):

  • smartmontools-7.2-10.fc33

Removed build(s):

  • smartmontools-7.2-9.fc33

Karma has been reset.

3 years ago

This update has been submitted for testing by mhlavink.

3 years ago
User Icon gtwilliams commented & provided feedback 3 years ago
karma

This update eliminated the selinux bug. Thank you.

BZ#1990463 SELinux is preventing smartd from getattr access on the chr_file /dev/nvme1.
User Icon mandree commented & provided feedback 3 years ago
karma

smartmontools-7.2-10.fc33 seems to fare better for me on F33. No more setroubleshooter notifications on systemctl restart smartd

BZ#1990463 SELinux is preventing smartd from getattr access on the chr_file /dev/nvme1.

This update has been pushed to testing.

3 years ago

This update can be pushed to stable now if the maintainer wishes

3 years ago
karma

This update has been submitted for stable by bodhi.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
bugfix
Karma
3
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
modified
3 years ago
BZ#1990463 SELinux is preventing smartd from getattr access on the chr_file /dev/nvme1.
0
2

Automated Test Results