diff --git a/drivedb.h b/drivedb.h
index fd56cd5..76a1c1e 100644
--- a/drivedb.h
+++ b/drivedb.h
@@ -68,7 +68,7 @@
/*
const drive_settings builtin_knowndrives[] = {
*/
- { "VERSION: 7.2/5170 2021-01-17 16:11:20 $Id: drivedb.h 5171 2021-01-17 17:17:19Z chrfranke $",
+ { "VERSION: 7.2/5211 2021-03-08 18:07:28 $Id$",
"-", "-",
"Version information",
""
@@ -3675,12 +3675,13 @@ const drive_settings builtin_knowndrives[] = {
"TOSHIBA MG03ACA[1234]00Y?",
"", "", ""
},
- { "Toshiba 3.5\" MD04ACA... Enterprise HDD", // tested with TOSHIBA MD04ACA500/FP1A
- "TOSHIBA MD04ACA[2345]00",
+ { "Toshiba MG04ACA... Enterprise HDD", // tested with TOSHIBA MD04ACA500/FP1A,
+ // TOSHIBA MG04ACA600A/FS2B, TOSHIBA MG04ACA400NY/FK5D (Dell)
+ "TOSHIBA MG04ACA[23456]00([AEN].?)?",
"", "", ""
},
- { "Toshiba 3.5\" MG04ACA... Enterprise HDD", // tested with TOSHIBA MG04ACA600A/FS2B
- "TOSHIBA MG04ACA[23456]00[AE].?",
+ { "Toshiba MG05ACA... Enterprise Capacity HDD", // tested with TOSHIBA MG05ACA800E/GX2A
+ "TOSHIBA MG05ACA800[AE]",
"", "", ""
},
{ "Toshiba MG06ACA... Enterprise Capacity HDD", // tested with TOSHIBA MG06ACA800E/4303,
@@ -3694,6 +3695,12 @@ const drive_settings builtin_knowndrives[] = {
"-v 23,raw48,Helium_Condition_Lower "
"-v 24,raw48,Helium_Condition_Upper"
},
+ { "Toshiba MG08ACA... Enterprise Capacity HDD", // tested with TOSHIBA MG08ACA16TE/0102
+ "TOSHIBA MG08ACA16T[AE]Y?",
+ "", "",
+ "-v 23,raw48,Helium_Condition_Lower "
+ "-v 24,raw48,Helium_Condition_Upper"
+ },
{ "Toshiba 3.5\" DT01ABA... Desktop HDD", // tested with TOSHIBA DT01ABA300/MZ6OABB0
"TOSHIBA DT01ABA(100|150|200|300)",
"", "", ""
@@ -3703,14 +3710,27 @@ const drive_settings builtin_knowndrives[] = {
"TOSHIBA DT01ACA(025|032|050|075|100|150|200|300)",
"", "", ""
},
- { "Toshiba X300", // tested with TOSHIBA HDWE160/FS2A
- "TOSHIBA HDWE1[456]0",
+ { "Toshiba N300 NAS HDD", // tested with TOSHIBA HDWQ140/FJ1M, TOSHIBA HDWN180/GX2M,
+ // TOSHIBA HDWN160/FS1M, TOSHIBA HDWG11A/0603, TOSHIBA HDWG21C/0601, TOSHIBA HDWG21E/0601
+ "TOSHIBA HDW([GNQ]1[468]0|G(11A|21[CE]|31G))", // 11A:10TB, 21C:12TB, 21E:14TB, 31G: 16TB
+ "", "",
+ "-v 23,raw48,Helium_Condition_Lower " // ] >= 12TB
+ "-v 24,raw48,Helium_Condition_Upper" // ]
+ },
+ { "Toshiba P300 (CMR)", // tested with TOSHIBA HDWD120/MX4OACF0
+ "TOSHIBA HDWD1(05|10|20|30)",
"", "", ""
},
- { "Toshiba P300", // tested with TOSHIBA HDWD120/MX4OACF0
- "TOSHIBA HDWD1(30|20|10|05)",
+ { "Toshiba P300 (SMR)", // tested with TOSHIBA HDWD240/KQ000A
+ "TOSHIBA HDWD2[246]0",
"", "", ""
},
+ { "Toshiba X300", // tested with TOSHIBA HDWE160/FS2A, TOSHIBA HDWF180/GX0B
+ "TOSHIBA HDW(E1[456]0|[FR]180|R(11A|21[CE]|31G))", // 11A:10TB, 21C:12TB, 21E:14TB, 31G: 16TB
+ "", "",
+ "-v 23,raw48,Helium_Condition_Lower " // ] >= 12TB
+ "-v 24,raw48,Helium_Condition_Upper" // ]
+ },
{ "Toshiba L200 (CMR)",
"TOSHIBA HDW[JK]1(05|10)",
"", "", ""
diff --git a/selinux_smartmon.fc b/selinux_smartmon.fc
new file mode 100644
index 0000000..36e908f
--- /dev/null
+++ b/selinux_smartmon.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/(smartd|smartmontools) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
+/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
+/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+
+/var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
diff --git a/selinux_smartmon.if b/selinux_smartmon.if
new file mode 100644
index 0000000..ea347cc
--- /dev/null
+++ b/selinux_smartmon.if
@@ -0,0 +1,65 @@
+## Smart disk monitoring daemon.
+
+#######################################
+##
+## Read smartmon temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`smartmon_read_tmp_files',`
+ gen_require(`
+ type fsdaemon_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 fsdaemon_tmp_t:file read_file_perms;
+')
+
+########################################
+##
+## All of the rules required to
+## administrate an smartmon environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`smartmon_admin',`
+ gen_require(`
+ type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
+ type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t;
+ ')
+
+ allow $1 fsdaemon_t:process signal_perms;
+ ps_process_pattern($1, fsdaemon_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fsdaemon_t:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fsdaemon_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, fsdaemon_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fsdaemon_var_run_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, fsdaemon_var_lib_t)
+')
diff --git a/selinux_smartmon.te b/selinux_smartmon.te
new file mode 100644
index 0000000..1d806ce
--- /dev/null
+++ b/selinux_smartmon.te
@@ -0,0 +1,139 @@
+policy_module(smartmon, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Determine whether smartmon can support
+## devices on 3ware controllers.
+##
+##
+gen_tunable(smartmon_3ware, false)
+
+type fsdaemon_t;
+type fsdaemon_exec_t;
+init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
+
+type fsdaemon_initrc_exec_t;
+init_script_file(fsdaemon_initrc_exec_t)
+
+type fsdaemon_var_run_t;
+files_pid_file(fsdaemon_var_run_t)
+
+type fsdaemon_var_lib_t;
+files_type(fsdaemon_var_lib_t)
+
+type fsdaemon_tmp_t;
+files_tmp_file(fsdaemon_tmp_t)
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin };
+dontaudit fsdaemon_t self:capability sys_tty_config;
+allow fsdaemon_t self:process { getcap setcap signal_perms };
+allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
+allow fsdaemon_t self:unix_stream_socket { accept listen };
+
+manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
+
+manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
+files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
+
+manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
+files_var_lib_filetrans(fsdaemon_t, fsdaemon_var_lib_t, { dir file })
+
+kernel_read_kernel_sysctls(fsdaemon_t)
+kernel_read_network_state(fsdaemon_t)
+kernel_read_software_raid_state(fsdaemon_t)
+kernel_read_system_state(fsdaemon_t)
+
+auth_use_nsswitch(fsdaemon_t)
+
+corecmd_exec_all_executables(fsdaemon_t)
+
+corenet_all_recvfrom_netlabel(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
+dev_read_sysfs(fsdaemon_t)
+dev_read_urand(fsdaemon_t)
+
+domain_use_interactive_fds(fsdaemon_t)
+
+files_exec_etc_files(fsdaemon_t)
+files_read_etc_runtime_files(fsdaemon_t)
+
+fs_getattr_all_fs(fsdaemon_t)
+fs_search_auto_mountpoints(fsdaemon_t)
+fs_read_removable_files(fsdaemon_t)
+
+mls_file_read_all_levels(fsdaemon_t)
+
+storage_create_fixed_disk_dev(fsdaemon_t)
+storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
+storage_raw_read_fixed_disk(fsdaemon_t)
+storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
+storage_read_scsi_generic(fsdaemon_t)
+storage_write_scsi_generic(fsdaemon_t)
+
+term_dontaudit_search_ptys(fsdaemon_t)
+
+domain_signull_all_domains(fsdaemon_t)
+
+auth_read_passwd(fsdaemon_t)
+
+init_read_utmp(fsdaemon_t)
+
+libs_exec_ld_so(fsdaemon_t)
+libs_exec_lib_files(fsdaemon_t)
+
+logging_send_syslog_msg(fsdaemon_t)
+
+seutil_sigchld_newrole(fsdaemon_t)
+
+sysnet_dns_name_resolve(fsdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+userdom_dontaudit_manage_admin_dir(fsdaemon_t)
+userdom_use_user_terminals(fsdaemon_t)
+
+tunable_policy(`smartmon_3ware',`
+ allow fsdaemon_t self:process setfscreate;
+
+ storage_create_fixed_disk_dev(fsdaemon_t)
+ storage_delete_fixed_disk_dev(fsdaemon_t)
+ storage_dev_filetrans_fixed_disk(fsdaemon_t)
+
+ selinux_validate_context(fsdaemon_t)
+
+ seutil_read_file_contexts(fsdaemon_t)
+')
+
+optional_policy(`
+ mta_send_mail(fsdaemon_t)
+ mta_manage_home_rw(fsdaemon_t)
+')
+
+optional_policy(`
+ udev_read_db(fsdaemon_t)
+')
+
+optional_policy(`
+ virt_read_images(fsdaemon_t)
+')
diff --git a/smartmontools.spec b/smartmontools.spec
index aa2b954..af5895d 100644
--- a/smartmontools.spec
+++ b/smartmontools.spec
@@ -1,7 +1,13 @@
+# defining macros needed by SELinux
+%global with_selinux 1
+%global selinuxtype targeted
+%global moduletype contrib
+%global modulename smartmon
+
Summary: Tools for monitoring SMART capable hard disks
Name: smartmontools
Version: 7.2
-Release: 4%{?dist}
+Release: 5%{?dist}
Epoch: 1
License: GPLv2+
URL: http://smartmontools.sourceforge.net/
@@ -11,6 +17,9 @@ Source4: smartdnotify
#semi-automatic update of drivedb.h
%global UrlSource5 https://sourceforge.net/p/smartmontools/code/HEAD/tree/trunk/smartmontools/drivedb.h?format=raw
Source5: drivedb.h
+Source6: selinux_%{modulename}.te
+Source7: selinux_%{modulename}.if
+Source8: selinux_%{modulename}.fc
#fedora/rhel specific
Patch1: smartmontools-5.38-defaultconf.patch
@@ -19,7 +28,11 @@ BuildRequires: make
BuildRequires: gcc-c++ readline-devel ncurses-devel automake util-linux groff gettext
BuildRequires: libselinux-devel libcap-ng-devel
BuildRequires: systemd systemd-devel
-%{?systemd_requires}
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
%description
The smartmontools package contains two utility programs (smartctl
@@ -29,10 +42,31 @@ into most modern ATA and SCSI hard disks. In many cases, these
utilities will provide advanced warning of disk degradation and
failure.
+%if 0%{?with_selinux}
+%package selinux
+Summary: SELinux policies for smartmontools
+BuildArch: noarch
+Requires: selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module for smartmontools
+%endif
+
%prep
%setup -q
%patch1 -p1 -b .defaultconf
cp %{SOURCE5} .
+%if 0%{?with_selinux}
+mkdir selinux
+for srcf in %{SOURCE6} %{SOURCE7} %{SOURCE8}
+do
+ dstf=${srcf##*/selinux_}
+ cp -p $srcf $dstf
+done
+%endif
%build
autoreconf -i
@@ -45,6 +79,12 @@ cp drivedb.h ../drivedb.h ||:
%make_build CXXFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro,-z,now"
+%if 0%{?with_selinux}
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
+
+
%install
%make_install
@@ -57,6 +97,34 @@ rm -rf $RPM_BUILD_ROOT/etc/{rc.d,init.d}
rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}
mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
+%if 0%{?with_selinux}
+install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%endif
+
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+ # the daemon needs to be restarted for the custom label to be applied
+ %systemd_postun_with_restart smartd.service
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+ %selinux_relabel_post -s %{selinuxtype}
+ # the daemon needs to be restarted for the custom label to be removed
+ %systemd_postun_with_restart smartd.service
+fi
+%endif
+
%preun
%systemd_preun smartd.service
@@ -85,7 +153,14 @@ mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
%{_datadir}/%{name}
%{_sharedstatedir}/%{name}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+
%changelog
+* Mon Apr 19 2021 Michal Hlavinka - 1:7.2-5
+- add selinux sub-package
+
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1:7.2-4
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
diff --git a/tests/tests-DSP.yaml b/tests/tests-DSP.yaml
new file mode 100644
index 0000000..6e578fb
--- /dev/null
+++ b/tests/tests-DSP.yaml
@@ -0,0 +1,38 @@
+- hosts: localhost
+
+ roles:
+ - role: standard-test-beakerlib
+ tags:
+ - classic
+ repositories:
+ - repo: https://pagure.io/DSP_test.git
+ dest: DSP_test
+ version: master
+
+ tests:
+ - DSP_test
+ environment:
+ # RPM package containing the policy module
+ TEST_RPM: smartmontools-selinux
+ # policy module name
+ TEST_POLICY: smartmon
+ # policy sources will be extracted from corresponding .src.rpm
+ # policy tar filename regexp (e.g. "usbguard-selinux*.tar.gz")
+ # or empty string if policy sources are not inside a tar archive
+ POLICY_TAR: ''
+ # path to policy sources (in of the tar archive) -- //.(te|if|fc)
+ # or path in the src.rpm if there is no tar archive -- //.(te|if|fc)
+ # can contain wildcards (e.g. for versions etc.)
+ POLICY_PATH: .
+
+ required_packages:
+ - policycoreutils
+ - selinux-policy
+ - selinux-policy-targeted
+ - setools-console
+ - libselinux-utils
+ - rpm
+ - tar
+ - git
+ - smartmontools
+