SELinux is preventing /usr/sbin/smartd from read access on the chr_file nvme0

Solution Verified - Updated -

Issue

  • The smartd service is being blocked by SELinux from accessing NVMe devices.

  • Using ausearch to check AVC, is possible to see different messages related to SELinux denying acess on the chr_file for the NVMe device:

    $ sudo ausearch -i -m AVC -ts boot | grep -i denied

[...]
type=SYSCALL msg=audit(11-11-2021 11:59:41.611:7284) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x55a3618d9af8 a1=O_RDONLY|O_NONBLOCK 
a2=0x55a3618fd478 a3=0x55a35fab2dd0 items=0 ppid=1 pid=31172 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset 
comm=smartd exe=/usr/sbin/smartd subj=system_u:system_r:fsdaemon_t:s0 key=(null) 
type=AVC msg=audit(11-11-2021 11:59:41.611:7284) : avc:  denied  { read } for  pid=31172 comm=smartd name=nvme0 dev="devtmpfs" ino=13427 scontext=system_u:system_r:fsdaemon_t:s0 
tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0 
type=SYSCALL msg=audit(11-11-2021 12:29:42.025:7396) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x55a3618d9af8 a1=O_RDONLY|O_NONBLOCK 
a2=0x55a3618fd478 a3=0x55a35fab2dd0 items=0 ppid=1 pid=31172 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset 
comm=smartd exe=/usr/sbin/smartd subj=system_u:system_r:fsdaemon_t:s0 key=(null) 
type=AVC msg=audit(11-11-2021 12:29:42.025:7396) : avc:  denied  { read } for  pid=31172 comm=smartd name=nvme0 dev="devtmpfs" ino=13427 
scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0
[...]

  • The audit.log file shows similar messages as ausearch:

    $ sudo grep -i denied /var/log/audit/audit.log

[...]
type=AVC msg=audit(1636642781.611:7284): avc:  denied  { read } for  pid=31172 comm="smartd" name="nvme0" dev="devtmpfs" ino=13427 scontext=system_u:system_r:fsdaemon_t:s0 
tcontext=system_u:object_r:nvme_device_t:s0 tclass=chr_file permissive=0
[...]

  • The audit2allow tool recommends create a policy to allow the denied access, since it presents no harm to the system:

    $ sudo audit2allow -a

[...]
#============= fsdaemon_t ==============
allow fsdaemon_t nvme_device_t:chr_file { ioctl open read };
[...]

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 7.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content