Allow collectd read raw fixed disk device

Required by the collectd-smart plugin. The commit addresses the following AVC denial: type=PROCTITLE msg=audit(11/22/2023 14:01:33.902:296) : proctitle=/usr/sbin/collectd type=PATH msg=audit(11/22/2023 14:01:33.902:296) : item=0 name=/dev/nvme1n1 inode=511 dev=00:05 mode=block,660 ouid=root ogid=disk rdev=103:03 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(11/22/2023 14:01:33.902:296) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f727c0137d0 a2=O_RDWR a3=0x0 items=1 ppid=1 pid=1598 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=reader#4 exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null) type=AVC msg=audit(11/22/2023 14:01:33.902:296) : avc: denied { read write } for pid=1598 comm=reader#4 name=nvme1n1 dev="devtmpfs" ino=511 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 Resolves: rhbz#2249257
zpytela · Nov 27, 2023 · e977b0c · e977b0c
1 parent 4976607
commit e977b0c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/policy/modules/contrib/collectd.te b/policy/modules/contrib/collectd.te
@@ -100,6 +100,8 @@ init_read_utmp(collectd_t)
 
 logging_send_syslog_msg(collectd_t)
 
+storage_raw_read_fixed_disk_blk_device(collectd_t)
+
 sysnet_dns_name_resolve(collectd_t)
 
 tunable_policy(`use_ecryptfs_home_dirs',`

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
@@ -103,6 +103,30 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
 	dontaudit $1 fixed_disk_device_t:blk_file setattr;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to directly read from a fixed disk device.
+##	This is extremly dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_raw_read_fixed_disk_blk_device',`
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		type fixed_disk_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+	typeattribute $1 fixed_disk_raw_read;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to directly read from a fixed disk.