Bug 612229
Summary: | SELinux prevents qemu-kvm from writing to LVM snapshot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Brier <jbrier> |
Component: | udev | Assignee: | Harald Hoyer <harald> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | berrange, clalance, crobinso, dwalsh, emcnabb, harald, itamar, jforbes, jonathan, veillard, virt-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | udev-153-3.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-20 01:27:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Brier
2010-07-07 15:51:18 UTC
I meant to put this as the description: Summary: SELinux is preventing qemu-kvm "write" access on /dev/dm-10. Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c469,c844 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects /dev/dm-10 [ blk_file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host farina.dj.edm Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-28.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name farina.dj.edm Platform Linux farina.dj.edm 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 1277 First Seen Wed 07 Jul 2010 11:18:06 AM EDT Last Seen Wed 07 Jul 2010 11:18:55 AM EDT Local ID 3f883c07-c279-4dc9-acd9-2e83f7475673 Line Numbers Raw Audit Messages node=farina.dj.edm type=AVC msg=audit(1278515935.255:39984): avc: denied { write } for pid=9210 comm="qemu-kvm" path="/dev/dm-10" dev=devtmpfs ino=86943 scontext=system_u:system_r:svirt_t:s0:c469,c844 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Check the label of /dev/dm-10 after you start the guest, it should be labeled something like svirt_image_t:s0:469,c844 If it is then this might be udev or someone running restorecon on the /dev. If not then this is a libvirt bug. There was a bug recently in udev blowing away the security context on devices, but not sure if its fixed in F13 or not offhand. Would need this: http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob;f=udev/udev-node.c;h=4314cceb79893d8f966ff8aa056ea8e7d265e766;hb=HEAD#l58 see also bug 571714 Yes, that's the bug/patch I was thinking of. udev-153-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/udev-153-1.fc13 udev-153-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/udev-153-2.fc13 udev-153-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update udev'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/udev-153-2.fc13 udev-153-3.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/udev-153-3.fc13 udev-153-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |