Monitoring disk storage labeled with svirt_image_t
Dominick Grift
dominick.grift at gmail.com
Fri Nov 15 15:16:26 UTC 2013
On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:
>
> This is a CentOS server and it was not sufficient, as it seemed.
> Applied the policy but AVC denials didn't stop..
>
> Nov 15 15:48:06 servername setroubleshoot: SELinux is preventing
> /usr/bin/perl from getattr access on the blk_file /dev/dm-3. For
> complete SELinux messages. run sealert -l
> 2b08f291-13be-4b09-878a-96cccc4c336d
>
> When I use audit2allow a second time (grep on a fresh rotated audit.log file)
> I get this:
> --------------------------------
> # cat diskwatch-pol2.te
>
> module diskwatch-pol2 1.0;
>
> require {
> type svirt_image_t;
> type munin_disk_plugin_t;
> class blk_file getattr;
> }
>
> #============= munin_disk_plugin_t ==============
>
> #!!!! This avc is a constraint violation. You will need to add an
> attribute to either the source or target type to make it work.
> #Contraint rule:
> allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
>
> --------------------------------
>
> How can I solve the issue?
See if this additional module does the trick:
cat >> mytest.te <<EOF
policy_module(mytest, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp
More information about the selinux
mailing list