Bug 451763
| Summary: | SELinux is preventing qemu-kvm (qemu_t) "read" to ./RHEL5.1-Client-20071017.0-i386-DVD.iso (xen_image_t). | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
| Component: | python-virtinst | Assignee: | Daniel Berrangé <berrange> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 9 | CC: | crobinso, dwalsh, mcepl, ultimatetux | ||||
| Target Milestone: | --- | Keywords: | SELinux | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-11-25 14:38:32 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Matěj Cepl
2008-06-17 08:41:31 UTC
Created attachment 309587 [details]
complete audit.log
Although I believe that my labels should be all right, there is a host of other
AVC denials, so much so that using virtual machines is possible only in the
Permissive mode.
Fixed in selinux-policy-3.3.1-68.fc9.noarch I get the same errors with selinux-policy-3.3.1-91.fc9.noarch.
Summary:
SELinux is preventing the qemu-kvm from using potentially mislabeled files
(./Fedora-9-x86_64-Live.iso).
Detailed Description:
SELinux has denied qemu-kvm access to potentially mislabeled file(s)
(./Fedora-9-x86_64-Live.iso). This means that SELinux will not allow qemu-kvm to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.
Allowing Access:
If you want qemu-kvm to access this files, you need to relabel them using
restorecon -v './Fedora-9-x86_64-Live.iso'. You might want to relabel the entire
directory using restorecon -R -v '.'.
Additional Information:
Source Context system_u:system_r:qemu_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects ./Fedora-9-x86_64-Live.iso [ file ]
Source qemu-kvm
Source Path /usr/bin/qemu-kvm
Port <Unknown>
Host adrenaline.localdomain
Source RPM Packages kvm-65-9.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-91.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name adrenaline.localdomain
Platform Linux adrenaline.localdomain
2.6.26.3-29.fc9.x86_64 #1 SMP Wed Sep 3 03:16:37
EDT 2008 x86_64 x86_64
Alert Count 3
First Seen Wed 01 Oct 2008 10:41:30 AM EET
Last Seen Wed 01 Oct 2008 08:33:24 PM EET
Local ID 6b5d01f9-32d3-4af0-918c-f855e4d11049
Line Numbers
Raw Audit Messages
host=adrenaline.localdomain type=AVC msg=audit(1222886004.609:1914): avc: denied { read } for pid=9735 comm="qemu-kvm" name="Fedora-9-x86_64-Live.iso" dev=dm-2 ino=308137 scontext=system_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
host=adrenaline.localdomain type=SYSCALL msg=audit(1222886004.609:1914): arch=c000003e syscall=2 success=no exit=-13 a0=7fff12ae7a40 a1=0 a2=1a4 a3=33d6d67a70 items=0 ppid=3305 pid=9735 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
You need to change the label on the image to virt_image_t. We do not want to allow a virtual image to read your home directories. Yeah I thought to apply the same as the one with bug #454893 This did the trick, thanks D. This has been fixed for a while in F9. Closing. |