Attachment 587322 Details for Bug 825942 – File: description

File: description

description (text/plain), 3.40 KB, created by Flos Lonicerae on 2012-05-29 07:18:09 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Flos Lonicerae

Created: 2012-05-29 07:18:09 UTC

Size: 3.40 KB

patch

obsolete

>SELinux is preventing /usr/bin/qemu-kvm from read, write access on the chr_file /dev/tap10.
>
>*****  Plugin restorecon (85.9 confidence) suggests  *************************
>
>If æ¨æ³è¦ä¿®å¤æ ç¾ã 
>/dev/tap10 é»è®¤æ ç¾åºä¸º tun_tap_device_tã
>Then æ¨å¯ä»¥è¿è¡ restoreconã
>Do
># /sbin/restorecon -v /dev/tap10
>
>*****  Plugin device (9.04 confidence) suggests  *****************************
>
>If you want to allow qemu-kvm to have read write access on the tap10 chr_file
>Then æ¨éè¦å° /dev/tap10 çæ ç¾æ¹ä¸ºç±»ä¼¼è®¾å¤ç±»åã
>Do
># semanage fcontext -a -t SIMILAR_TYPE '/dev/tap10'
># restorecon -v '/dev/tap10'
>
>*****  Plugin leaks (5.62 confidence) suggests  ******************************
>
>If æ¨æ³è¦å¿½ç¥ qemu-kvm å°è¯ read write è®¿é® tap10 chr_fileï¼å ä¸ºæ¨ç¡®å®å®ä¸åºéè¦è¿ä¸ªè®¿é®ã
>Then æ¨åºè¯¥å°è¿ä¸ªé®é¢ä½ä¸º bug æ¥åã 
>æ¨å¯ä»¥åå»ºæ¬å°çç¥æ¨¡åä¸å®¡æ ¸è¿ä¸ªè®¿é®ã
>Do
># grep /usr/bin/qemu-kvm /var/log/audit/audit.log | audit2allow -D -M mypol
># semodule -i mypol.pp
>
>*****  Plugin catchall (1.35 confidence) suggests  ***************************
>
>If æ¨ç¡®å®åºé»è®¤åè®¸ qemu-kvm read write è®¿é® tap10 chr_fileã
>Then æ¨åºè¯¥å°è¿ä¸ªæåµä½ä¸º bug æ¥åã
>æ¨å¯ä»¥çææ¬å°çç¥æ¨¡ååè®¸è¿ä¸ªè®¿é®ã
>Do
>è¯·æ§è¡ä»¥ä¸å½ä»¤æ¤æ¶åè®¸è¿ä¸ªè®¿é®ï¼
># grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:svirt_t:s0:c336,c648
>Target Context                system_u:object_r:device_t:s0
>Target Objects                /dev/tap10 [ chr_file ]
>Source                        qemu-kvm
>Source Path                   /usr/bin/qemu-kvm
>Port                          <æªç¥>
>Host                          (removed)
>Source RPM Packages           qemu-system-x86-0.15.1-4.fc16.x86_64
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.10.0-86.fc16.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     (removed)
>Platform                      Linux dhcp-129-172.pek.redhat.com
>                              3.3.6-3.fc16.x86_64 #1 SMP Wed May 16 21:43:01 UTC
>                              2012 x86_64 x86_64
>Alert Count                   1
>First Seen                    2012å¹´05æ29æ¥ ææäº 15æ¶15å47ç§
>Last Seen                     2012å¹´05æ29æ¥ ææäº 15æ¶15å47ç§
>Local ID                      683448cb-9000-4156-b199-e16581315081
>
>Raw Audit Messages
>type=AVC msg=audit(1338275747.343:633): avc:  denied  { read write } for  pid=11250 comm="qemu-kvm" path="/dev/tap10" dev="devtmpfs" ino=569662 scontext=system_u:system_r:svirt_t:s0:c336,c648 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>
>
>type=SYSCALL msg=audit(1338275747.343:633): arch=x86_64 syscall=execve success=yes exit=0 a0=7f6f3c0c2a80 a1=7f6f3c0c2be0 a2=7f6f3c0c22b0 a3=7f6f515c28f0 items=0 ppid=1 pid=11250 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c336,c648 key=(null)
>
>Hash: qemu-kvm,svirt_t,device_t,chr_file,read,write
>
>audit2allow
>
>#============= svirt_t ==============
>allow svirt_t device_t:chr_file { read write };
>
>audit2allow -R
>
>#============= svirt_t ==============
>allow svirt_t device_t:chr_file { read write };
>

Actions: View

Attachments on bug 825942: 587322