Descriptionautarch princeps
2015-07-23 19:14:36 UTC
Description of problem:
SELinux is preventing systemd-logind from 'setattr' accesses on the blk_file sr0.
***** Plugin catchall (100. confidence) suggests **************************
If sie denken, dass es systemd-logind standardmässig erlaubt sein sollte, setattr Zugriff auf sr0 blk_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:systemd_logind_t:s0
Target Context system_u:object_r:virt_content_t:s0
Target Objects sr0 [ blk_file ]
Source systemd-logind
Source Path systemd-logind
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.6.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 4.0.7-300.fc22.x86_64 #1 SMP Mon
Jun 29 22:15:06 UTC 2015 x86_64 x86_64
Alert Count 3
First Seen 2015-07-14 16:38:09 CEST
Last Seen 2015-07-14 16:38:29 CEST
Local ID 61790096-5a22-4990-80b8-8d2be7240de3
Raw Audit Messages
type=AVC msg=audit(1436884709.122:1474): avc: denied { setattr } for pid=755 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=12296 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file permissive=1
Hash: systemd-logind,systemd_logind_t,virt_content_t,blk_file,setattr
Version-Release number of selected component:
selinux-policy-3.13.1-128.6.fc22.noarch
Additional info:
reporter: libreport-2.6.1
hashmarkername: setroubleshoot
kernel: 4.1.2-200.fc22.x86_64
type: libreport
Potential duplicate: bug 824137
What's happening here is libvirt is labelling /dev/sr0 as virt_content_t, which conflicts with logind labeling.
The proper fix IMO is for libvirt to not change the label for readonly disk images, if it's already labelled in such a way that we can already access it. I previously outlined on this upstream mailing list:
https://www.redhat.com/archives/libvir-list/2015-April/msg01400.html