Bug 1101534
Summary: | [RFE] provide additional audit information when SELinux policy forbids file access | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | Vadim Rutkovsky <vrutkovs> |
Component: | libvirt | Assignee: | Virtualization Maintenance <virt-maint> |
Status: | CLOSED DEFERRED | QA Contact: | yafu <yafu> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | berrange, dyuan, jdenemar, jsuchane, mbooth, mzhan, ptoscano, rjones, vrutkovs, xuzhang, yafu |
Target Milestone: | rc | Keywords: | FutureFeature, Reopened |
Target Release: | 8.0 | ||
Hardware: | x86_64 | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: |
Cause:
Consequence:
Fix:
Result:
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-11 12:58:49 UTC | Type: | Feature Request |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 910269 |
Description
Vadim Rutkovsky
2014-05-27 12:46:12 UTC
The error is: Could not open backing file: Could not open '/data/gnome-continuous/images/current/gnome-continuous-x86_64-runtime.qcow2': Permission denied You've shown the permissions on this file, which look fine: $ ls -laZ /data/gnome-continuous/images/current/gnome-continuous-x86_64-runtime.qcow2 -rw-r--r--. cloud-user cloud-user system_u:object_r:virt_content_t:s0 /data/gnome-continuous/images/current/gnome-continuous-x86_64-runtime.qcow2 You'll have to check all the parent directories too: ls -ldZ /data/gnome-continuous/images/current ls -ldZ /data/gnome-continuous/images [etc] Also (unfortunately) qemu likes to open disk images with O_RDWR even if it is only going to read them, so you probably need to check for write permission too, at least on the enclosing directory. [cloud-user@continuous-vrutkovs gnome-continuous]$ ls -ldZ /data/gnome-continuous/images/current lrwxrwxrwx. cloud-user cloud-user unconfined_u:object_r:httpd_sys_content_t:s0 /data/gnome-continuous/images/current -> 20140526.13 [cloud-user@continuous-vrutkovs gnome-continuous]$ ls -ldZ /data/gnome-continuous/images drwxrwxrwx. cloud-user cloud-user unconfined_u:object_r:httpd_sys_content_t:s0 /data/gnome-continuous/images [cloud-user@continuous-vrutkovs gnome-continuous]$ ls -ldZ /data/gnome-continuous/ drwxrwxr-x. cloud-user cloud-user unconfined_u:object_r:httpd_sys_content_t:s0 /data/gnome-continuous/ [cloud-user@continuous-vrutkovs gnome-continuous]$ ls -ldZ /data drwxr-xr-x. cloud-user cloud-user system_u:object_r:httpd_sys_content_t:s0 /data [cloud-user@continuous-vrutkovs gnome-continuous]$ ls -ldZ /data/gnome-continuous/images/20140526.13 drwxrwxr-x. cloud-user cloud-user unconfined_u:object_r:httpd_sys_content_t:s0 /data/gnome-continuous/images/20140526.13 chmodding a+w to dirs dirs didn't help. Is it possible that it happens due to the fact that '/images/current' is a symlink? Oops, my fault, adding a proper SELinux label fixed it: sudo chcon -v -R --type=virt_content_t /data/gnome-continuous/images/ (In reply to Vadim Rutkovsky from comment #3) > Oops, my fault, adding a proper SELinux label fixed it: > sudo chcon -v -R --type=virt_content_t /data/gnome-continuous/images/ Hmm, this is yet another catch with sVirt labelling. Shouldn't libvirt be labelling this directory? >Shouldn't libvirt be labelling this directory?
FYI I created it manually, as for gnome-continuous I create the dir manually and ran the commands straight out of it, without updating any libvirtd config
Libvirt labels everything that qemu will touch, in order for sVirt (SELinux) to work. However I don't know if it labels parent directories of objects (or if it doesn't but should). Let's see what the response is from the libvirt team. Libvirt does not label parent directories (except for those it creates itself) and I think that's the right way. Default paths are labeled automatically by the default selinux-policy but labeling non-default paths is up to the user who decides to use such paths. The same applies across the whole system, if anyone wants to store, e.g., web pages in a non-default path, they have to label that path too. I'm going to reopen this BZ as an RFE to provide additional audit information where possible and appropriate (i.e., no information leakage) to enable easier debugging of this situation. FYI one idea was to try and involve the systemd journal. Every QEMU guest now has a transient systemd machine unit associated with it. IIUC, kernel AVC audit messages generated by a process should be associated with the systemd unit containing the process. IOW, the systemd machine unit holding QEMU should be associated with any AVCs QEMU causes. So libvirt could query the journald to find out if QEMU created AVCs. This could be used to improve libvirts error message to the user, or perhaps add a libvirt public API which an app can use to extract the log message(s) and report them to the user, along with the current plain error message. (In reply to Daniel Berrange from comment #9) When should this happen? When the machine quits (w or w/o errors)? I assume sd_journal_open() would help with that and we would append the data to the domain's logfile or to error mesage, right? If the machine quits with an error at startup, it would be desirable to try and get the error message libvirt raises augmented with AVCs (if selinux is enforcing). I wouldn't append them to the logfile though - that'd just be copying from the structured journal log to the unstructed qemu log which seems like a backwards step to me. I think it is probably about time we adding an API for reading the VM logs eg virDomainOpenLog(virDomainPtr dom, unsigned int flags) and have two flags VIR_DOMAIN_LOG_EMULATOR, VIR_DOMAIN_LOG_KERNEL (or _HYPERVISOR perhaps ? ) to switch betweeen returning data from /var/log/libvirt/qemu/$GUEST.log and from systemd journal. This bug was closed deferred as a result of bug triage. Please reopen if you disagree and provide justification why this bug should get enough priority. Most important would be information about impact on customer or layered product. Please indicate requested target release. |