Bug 484555

Summary: AVC denied errors when starting KVM guest
Product: [Fedora] Fedora Reporter: Mark McLoughlin <markmc>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: akarlsso, berrange, clalance, crobinso, dwalsh, mgrepl, torsten, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-20 16:21:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark McLoughlin 2009-02-08 09:40:07 UTC
When starting a KVM guest in permissive mode with libvirt-0.6.0-2.fc10.i386:

type=AVC msg=audit(1234085826.195:72): avc:  denied  { write } for  pid=8412 comm="qemu-kvm" name="qemu" dev=dm-1 ino=649746 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1234085826.195:72): avc:  denied  { add_name } for  pid=8412 comm="qemu-kvm" name="fedora10.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1234085826.195:72): avc:  denied  { create } for  pid=8412 comm="qemu-kvm" name="fedora10.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1234085826.195:72): avc:  denied  { read write } for  pid=8412 comm="qemu-kvm" name="fedora10.pid" dev=dm-1 ino=647769 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1234085826.195:73): avc:  denied  { lock } for  pid=8412 comm="qemu-kvm" path="/var/run/libvirt/qemu/fedora10.pid" dev=dm-1 ino=647769 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file

Comment 1 Daniel Berrangé 2009-02-09 09:25:16 UTC
This is the important bit:

path="/var/run/libvirt/qemu/fedora10.pid"

The new libvirt now tells QEMU to write out a PID file on startup. So we need to add this directory to the SELinux policy for the QEMU domain type:

   /var/run/libvirt/qemu(/.*)?

NB, this directory is already listed in the %files section of the libvirt RPM, so if policy gets updated, it should get labelled correctly.

cf, similar problem with dnsmasq PID file bug 484199

Comment 2 Daniel Walsh 2009-02-09 14:26:37 UTC
Dan you are the man.


Miroslav add



type qemu_var_run_t;
files_pid_file(qemu_var_run_t)
...
manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
files_pid_filetrans(qemu_t, qemu_var_run_t, file)

to qemu.te 

/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)

In qemu.fc

In both F9 and F10.

Comment 3 Miroslav Grepl 2009-02-12 14:56:09 UTC
Fixed in selinux-policy-3.5.13-45.fc10

Comment 4 Torsten Rausche 2009-02-25 17:17:40 UTC
This still does not work.

selinux-policy-3.5.13-46.fc10.noarch
libvirt-0.6.0-3.fc10.x86_64

After running restorecon the directory looks like this:

$ ls -Za /var/run/libvirt/qemu/
drwxr-xr-x  root root system_u:object_r:virt_var_run_t:s0 .
drwxr-xr-x  root root system_u:object_r:virt_var_run_t:s0 ..

which leads to the following denial messages in permissive mode:

node=roadrunner type=AVC msg=audit(1235579520.39:140): avc:  denied  { lock } for  pid=10497 comm="qemu-kvm" path="/var/run/libvirt/qemu/Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file

node=roadrunner type=SYSCALL msg=audit(1235579520.39:140): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=6 a2=7fffc0037f30 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null)

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { write } for  pid=10497 comm="qemu-kvm" name="qemu" dev=sda2 ino=4458842 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { add_name } for  pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { create } for  pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { read write } for  pid=10497 comm="qemu-kvm" name="Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file

node=roadrunner type=SYSCALL msg=audit(1235579520.34:139): arch=c000003e syscall=2 success=no exit=-2039644200 a0=7fffc003ae66 a1=42 a2=180 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null)

-----

After setting the directory's context to 'system_u:object_r:qemu_var_run_t:s0' too, it works fine.

Comment 5 Sirius Rayner-Karlsson 2009-02-25 19:51:58 UTC
I resolved this on my system by creating a file, virt2.te, containing

---
policy_module(virt2,1.0.4)

require {
	type qemu_t;
	type virt_var_run_t;
}

#============= qemu_t ==============
allow qemu_t virt_var_run_t:dir { write add_name };
allow qemu_t virt_var_run_t:file { read write create lock };
---

and I then ran
# make -f /usr/share/selinux/devel/Makefile
# semodule -i virt2.pp
# restorecon -Rv /var/lib/libvirt/qemu

It's working for me with
  libvirt-0.6.0-2.fc10.i386
  selinux-policy-3.5.13-45.fc10.noarch

Hope this helps,

/Anders

Comment 6 Miroslav Grepl 2009-02-26 11:31:47 UTC
Ok, I will fix qemu labeling to correct form.

Comment 7 Daniel Walsh 2009-02-26 14:02:33 UTC
Should have been

/var/run/libvirt/qemu(/.*)?  gen_context(system_u:object_r:qemu_var_run_t,s0)

Not 

/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)

My mistake.

Comment 8 Miroslav Grepl 2009-02-27 15:08:48 UTC
Fixed in selinux-policy-3.5.13-47.fc10

Comment 9 Mark McLoughlin 2009-03-20 16:21:09 UTC
Fix is now in F10 stable:

  https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2245