Bug 484555
Summary: | AVC denied errors when starting KVM guest | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mark McLoughlin <markmc> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 10 | CC: | akarlsso, berrange, clalance, crobinso, dwalsh, mgrepl, torsten, veillard, virt-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-03-20 16:21:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mark McLoughlin
2009-02-08 09:40:07 UTC
This is the important bit: path="/var/run/libvirt/qemu/fedora10.pid" The new libvirt now tells QEMU to write out a PID file on startup. So we need to add this directory to the SELinux policy for the QEMU domain type: /var/run/libvirt/qemu(/.*)? NB, this directory is already listed in the %files section of the libvirt RPM, so if policy gets updated, it should get labelled correctly. cf, similar problem with dnsmasq PID file bug 484199 Dan you are the man. Miroslav add type qemu_var_run_t; files_pid_file(qemu_var_run_t) ... manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t) files_pid_filetrans(qemu_t, qemu_var_run_t, file) to qemu.te /var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0) In qemu.fc In both F9 and F10. Fixed in selinux-policy-3.5.13-45.fc10 This still does not work. selinux-policy-3.5.13-46.fc10.noarch libvirt-0.6.0-3.fc10.x86_64 After running restorecon the directory looks like this: $ ls -Za /var/run/libvirt/qemu/ drwxr-xr-x root root system_u:object_r:virt_var_run_t:s0 . drwxr-xr-x root root system_u:object_r:virt_var_run_t:s0 .. which leads to the following denial messages in permissive mode: node=roadrunner type=AVC msg=audit(1235579520.39:140): avc: denied { lock } for pid=10497 comm="qemu-kvm" path="/var/run/libvirt/qemu/Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file node=roadrunner type=SYSCALL msg=audit(1235579520.39:140): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=6 a2=7fffc0037f30 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null) node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { write } for pid=10497 comm="qemu-kvm" name="qemu" dev=sda2 ino=4458842 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { add_name } for pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { create } for pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { read write } for pid=10497 comm="qemu-kvm" name="Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file node=roadrunner type=SYSCALL msg=audit(1235579520.34:139): arch=c000003e syscall=2 success=no exit=-2039644200 a0=7fffc003ae66 a1=42 a2=180 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null) ----- After setting the directory's context to 'system_u:object_r:qemu_var_run_t:s0' too, it works fine. I resolved this on my system by creating a file, virt2.te, containing --- policy_module(virt2,1.0.4) require { type qemu_t; type virt_var_run_t; } #============= qemu_t ============== allow qemu_t virt_var_run_t:dir { write add_name }; allow qemu_t virt_var_run_t:file { read write create lock }; --- and I then ran # make -f /usr/share/selinux/devel/Makefile # semodule -i virt2.pp # restorecon -Rv /var/lib/libvirt/qemu It's working for me with libvirt-0.6.0-2.fc10.i386 selinux-policy-3.5.13-45.fc10.noarch Hope this helps, /Anders Ok, I will fix qemu labeling to correct form. Should have been /var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0) Not /var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0) My mistake. Fixed in selinux-policy-3.5.13-47.fc10 Fix is now in F10 stable: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2245 |