Bug 1301637

Summary: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file /var/db/nscd/group.
Product: Red Hat Enterprise Linux 7 Reporter: Pat Riehecky <riehecky>
Component: selinux-policyAssignee: Simon Sekidde <ssekidde>
Status: CLOSED ERRATA QA Contact: Jan Zarsky <jzarsky>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: jzarsky, lvrabec, mgrepl, mmalik, plautrba, pvrabec, riehecky, ssekidde, szidek
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-83.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1332116 (view as bug list) Environment:
Last Closed: 2016-11-04 02:40:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1332116    

Description Pat Riehecky 2016-01-25 15:11:04 UTC 
Description of problem:
*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-kvm should be allowed read access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c11,c90
Target Context                system_u:object_r:nscd_var_run_t:s0
Target Objects                /var/db/nscd/group [ file ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Source RPM Packages           qemu-kvm-1.5.3-105.el7_2.1.x86_64
Target RPM Packages           nscd-2.17-106.el7_2.1.x86_64
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Platform                      Linux testify 3.10.0-327.4.4.el7.x86_64
                              #1 SMP Wed Jan 6 09:27:55 CST 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-01-25 08:58:52 CST
Last Seen                     2016-01-25 08:58:52 CST
Local ID                      4b4e54bd-7e5c-4967-8819-443bd0e8506a

Raw Audit Messages
type=AVC msg=audit(1453733932.598:22172): avc:  denied  { read } for  pid=2539 comm="qemu-kvm" path="/var/db/nscd/group" dev="sda3" ino=540812635 scontext=system_u:system_r:svirt_t:s0:c11,c90 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file


Version-Release number of selected component (if applicable):
Source RPM Packages           qemu-kvm-1.5.3-105.el7_2.1.x86_64
Target RPM Packages           nscd-2.17-106.el7_2.1.x86_64
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch

How reproducible:100%


Steps to Reproduce:
1.start nscd
2.run  /usr/libexec/qemu-kvm
3.

Actual results:
listed selinux error

Expected results:
no error

Additional info:
Comment 3 Miroslav Grepl 2016-02-12 06:17:55 UTC 
Pat,
are you able to reproduce it? Did it work correctly?
Comment 4 Pat Riehecky 2016-02-12 14:48:08 UTC 
qemu-kvm seems to work fine without the cached group information, but the logged selinux alert does add unexpected errors to the system logs.
Comment 13 errata-xmlrpc 2016-11-04 02:40:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html