Bug 451763
Summary: | SELinux is preventing qemu-kvm (qemu_t) "read" to ./RHEL5.1-Client-20071017.0-i386-DVD.iso (xen_image_t). | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
Component: | python-virtinst | Assignee: | Daniel Berrangé <berrange> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 9 | CC: | crobinso, dwalsh, mcepl, ultimatetux | ||||
Target Milestone: | --- | Keywords: | SELinux | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-11-25 14:38:32 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Matěj Cepl
2008-06-17 08:41:31 UTC
Created attachment 309587 [details]
complete audit.log
Although I believe that my labels should be all right, there is a host of other
AVC denials, so much so that using virtual machines is possible only in the
Permissive mode.
Fixed in selinux-policy-3.3.1-68.fc9.noarch I get the same errors with selinux-policy-3.3.1-91.fc9.noarch. Summary: SELinux is preventing the qemu-kvm from using potentially mislabeled files (./Fedora-9-x86_64-Live.iso). Detailed Description: SELinux has denied qemu-kvm access to potentially mislabeled file(s) (./Fedora-9-x86_64-Live.iso). This means that SELinux will not allow qemu-kvm to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want qemu-kvm to access this files, you need to relabel them using restorecon -v './Fedora-9-x86_64-Live.iso'. You might want to relabel the entire directory using restorecon -R -v '.'. Additional Information: Source Context system_u:system_r:qemu_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects ./Fedora-9-x86_64-Live.iso [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host adrenaline.localdomain Source RPM Packages kvm-65-9.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-91.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name adrenaline.localdomain Platform Linux adrenaline.localdomain 2.6.26.3-29.fc9.x86_64 #1 SMP Wed Sep 3 03:16:37 EDT 2008 x86_64 x86_64 Alert Count 3 First Seen Wed 01 Oct 2008 10:41:30 AM EET Last Seen Wed 01 Oct 2008 08:33:24 PM EET Local ID 6b5d01f9-32d3-4af0-918c-f855e4d11049 Line Numbers Raw Audit Messages host=adrenaline.localdomain type=AVC msg=audit(1222886004.609:1914): avc: denied { read } for pid=9735 comm="qemu-kvm" name="Fedora-9-x86_64-Live.iso" dev=dm-2 ino=308137 scontext=system_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=adrenaline.localdomain type=SYSCALL msg=audit(1222886004.609:1914): arch=c000003e syscall=2 success=no exit=-13 a0=7fff12ae7a40 a1=0 a2=1a4 a3=33d6d67a70 items=0 ppid=3305 pid=9735 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) You need to change the label on the image to virt_image_t. We do not want to allow a virtual image to read your home directories. Yeah I thought to apply the same as the one with bug #454893 This did the trick, thanks D. This has been fixed for a while in F9. Closing. |