Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 316341 Details for
Bug 454893
SELinux is preventing qemu-kvm (qemu_t) "getattr" to /dev/mapper/vgcrypt-f932 (fixed_disk_device_t).
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
New sealert message for this avc.
sealert.html (text/html), 4.59 KB, created by
Daniel Walsh
on 2008-09-10 18:04:46 UTC
(
hide
)
Description:
New sealert message for this avc.
Filename:
MIME Type:
Creator:
Daniel Walsh
Created:
2008-09-10 18:04:46 UTC
Size:
4.59 KB
patch
obsolete
><table bgcolor=#FFFFFF><tr><td> ><table width="100%" cellspacing="1" cellpadding="1"> ><tr bgcolor="000000"><td><font color="#FFFFFF">Summary</font></td></tr> ><tr><td><font color="000000"> > SELinux is preventing qemu (qemu-kvm) "read" to HelpdeskRHEL4-RHEL4.x86_64 (fixed_disk_device_t). > </font></td></tr> ><tr bgcolor="000000"><td><font color="#FFFFFF">Detailed Description</font></td></tr> ><tr><td><font color="000000"> > SELinux denied qemu access to the block device HelpdeskRHEL4-RHEL4.x86_64. > If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel HelpdeskRHEL4-RHEL4.x86_64 to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64' to add this > new path to the system defaults. If you did not intend to use HelpdeskRHEL4-RHEL4.x86_64 as a qemu > image it could indicate either a bug or an intrusion attempt. > </font></td></tr> ><tr bgcolor="000000"><td><font color="#FFFFFF">Allowing Access</font></td></tr> ><tr><td><font color="000000"> > You can alter the file context by executing chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64' > You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'" > </font></td></tr> ><tr bgcolor="000000"><td><font color="#FFFFFF">Fix Command</font></td></tr> ><tr><td><font color="000000">chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'</font></td></tr> ><tr bgcolor="000000"><td><font color="#FFFFFF">Additional Information</font></td></tr> ><tr><td><font color="000000"></font></td></tr> ></table> ><table border="0" cellspacing="1" cellpadding="1"> ><tr><td><font color="000000">Source Context: </td><td>system_u:system_r:qemu_t:s0</font></td></tr> ><tr><td><font color="000000">Target Context: </td><td>system_u:object_r:fixed_disk_device_t:s0</font></td></tr> ><tr><td><font color="000000">Target Objects: </td><td>HelpdeskRHEL4-RHEL4.x86_64 [ blk_file ]</font></td></tr> ><tr><td><font color="000000">Source: </td><td>qemu-kvm</font></td></tr> ><tr><td><font color="000000">Source Path: </td><td>/usr/bin/qemu-kvm</font></td></tr> ><tr><td><font color="000000">Port: </td><td><Unknown></font></td></tr> ><tr><td><font color="000000">Host: </td><td>dhcppc2</font></td></tr> ><tr><td><font color="000000">Source RPM Packages: </td><td>kvm-74-2.fc10</font></td></tr> ><tr><td><font color="000000">Target RPM Packages: </td><td></font></td></tr> ><tr><td><font color="000000">Policy RPM: </td><td>selinux-policy-3.5.7-1.fc10</font></td></tr> ><tr><td><font color="000000">Selinux Enabled: </td><td>True</font></td></tr> ><tr><td><font color="000000">Policy Type: </td><td>targeted</font></td></tr> ><tr><td><font color="000000">MLS Enabled: </td><td>True</font></td></tr> ><tr><td><font color="000000">Enforcing Mode: </td><td>Enforcing</font></td></tr> ><tr><td><font color="000000">Plugin Name: </td><td>qemu_blk_image</font></td></tr> ><tr><td><font color="000000">Host Name: </td><td>localhost.localdomain</font></td></tr> ><tr><td><font color="000000">Platform: </td><td>Linux localhost.localdomain 2.6.27-0.305.rc5.git6.fc10.x86_64 #1 SMP Thu Sep 4 21:42:09 EDT 2008 x86_64 x86_64</font></td></tr> ><tr><td><font color="000000">Alert Count: </td><td>1</font></td></tr> ><tr><td><font color="000000">First Seen: </td><td>Tue Jul 22 08:19:48 2008</font></td></tr> ><tr><td><font color="000000">Last Seen: </td><td>Tue Jul 22 08:19:48 2008</font></td></tr> ><tr><td><font color="000000">Local ID: </td><td>f327c428-a924-44f2-9fc2-29bb20fd51dc</font></td></tr> ><tr><td><font color="000000">Line Numbers: </td><td>1</font></td></tr> ></table><p>Raw Audit Messages >:<br><br>host=dhcppc2 type=AVC msg=audit(1216729188.853:241): avc: denied { read } for pid=14066 comm="qemu-kvm" name="HelpdeskRHEL4-RHEL4.x86_64" dev=tmpfs ino=333 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:241): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6f654680 a1=0 a2=1a4 a3=3342f67a70 items=0 ppid=2953 pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) ><br></td></tr></table> >
<table bgcolor=#FFFFFF><tr><td> <table width="100%" cellspacing="1" cellpadding="1"> <tr bgcolor="000000"><td><font color="#FFFFFF">Summary</font></td></tr> <tr><td><font color="000000"> SELinux is preventing qemu (qemu-kvm) "read" to HelpdeskRHEL4-RHEL4.x86_64 (fixed_disk_device_t). </font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Detailed Description</font></td></tr> <tr><td><font color="000000"> SELinux denied qemu access to the block device HelpdeskRHEL4-RHEL4.x86_64. If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel HelpdeskRHEL4-RHEL4.x86_64 to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64' to add this new path to the system defaults. If you did not intend to use HelpdeskRHEL4-RHEL4.x86_64 as a qemu image it could indicate either a bug or an intrusion attempt. </font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Allowing Access</font></td></tr> <tr><td><font color="000000"> You can alter the file context by executing chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'" </font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Fix Command</font></td></tr> <tr><td><font color="000000">chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'</font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Additional Information</font></td></tr> <tr><td><font color="000000"></font></td></tr> </table> <table border="0" cellspacing="1" cellpadding="1"> <tr><td><font color="000000">Source Context: </td><td>system_u:system_r:qemu_t:s0</font></td></tr> <tr><td><font color="000000">Target Context: </td><td>system_u:object_r:fixed_disk_device_t:s0</font></td></tr> <tr><td><font color="000000">Target Objects: </td><td>HelpdeskRHEL4-RHEL4.x86_64 [ blk_file ]</font></td></tr> <tr><td><font color="000000">Source: </td><td>qemu-kvm</font></td></tr> <tr><td><font color="000000">Source Path: </td><td>/usr/bin/qemu-kvm</font></td></tr> <tr><td><font color="000000">Port: </td><td><Unknown></font></td></tr> <tr><td><font color="000000">Host: </td><td>dhcppc2</font></td></tr> <tr><td><font color="000000">Source RPM Packages: </td><td>kvm-74-2.fc10</font></td></tr> <tr><td><font color="000000">Target RPM Packages: </td><td></font></td></tr> <tr><td><font color="000000">Policy RPM: </td><td>selinux-policy-3.5.7-1.fc10</font></td></tr> <tr><td><font color="000000">Selinux Enabled: </td><td>True</font></td></tr> <tr><td><font color="000000">Policy Type: </td><td>targeted</font></td></tr> <tr><td><font color="000000">MLS Enabled: </td><td>True</font></td></tr> <tr><td><font color="000000">Enforcing Mode: </td><td>Enforcing</font></td></tr> <tr><td><font color="000000">Plugin Name: </td><td>qemu_blk_image</font></td></tr> <tr><td><font color="000000">Host Name: </td><td>localhost.localdomain</font></td></tr> <tr><td><font color="000000">Platform: </td><td>Linux localhost.localdomain 2.6.27-0.305.rc5.git6.fc10.x86_64 #1 SMP Thu Sep 4 21:42:09 EDT 2008 x86_64 x86_64</font></td></tr> <tr><td><font color="000000">Alert Count: </td><td>1</font></td></tr> <tr><td><font color="000000">First Seen: </td><td>Tue Jul 22 08:19:48 2008</font></td></tr> <tr><td><font color="000000">Last Seen: </td><td>Tue Jul 22 08:19:48 2008</font></td></tr> <tr><td><font color="000000">Local ID: </td><td>f327c428-a924-44f2-9fc2-29bb20fd51dc</font></td></tr> <tr><td><font color="000000">Line Numbers: </td><td>1</font></td></tr> </table><p>Raw Audit Messages :<br><br>host=dhcppc2 type=AVC msg=audit(1216729188.853:241): avc: denied { read } for pid=14066 comm="qemu-kvm" name="HelpdeskRHEL4-RHEL4.x86_64" dev=tmpfs ino=333 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:241): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6f654680 a1=0 a2=1a4 a3=3342f67a70 items=0 ppid=2953 pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) <br></td></tr></table>
View Attachment As Raw
Actions:
View
Attachments on
bug 454893
:
316338
| 316341