Bug 612229

Summary: SELinux prevents qemu-kvm from writing to LVM snapshot
Product: [Fedora] Fedora Reporter: John Brier <jbrier>
Component: udevAssignee: Harald Hoyer <harald>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: berrange, clalance, crobinso, dwalsh, emcnabb, harald, itamar, jforbes, jonathan, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: udev-153-3.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-19 21:27:40 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description John Brier 2010-07-07 11:51:18 EDT
Description of problem:

Version-Release number of selected component (if applicable):
[root@farina ~]# rpm -qa | grep  selinux
[root@farina ~]# uname -r

How reproducible:

only ran into it once, haven't tried to reproduce

Steps to Reproduce:
1. create a guest backed by an LVM LV
2. snapshot the guest
3. edit the /etc/libvirt/qemu/<guest.xml> to use the new snapshot LV
4. virsh create /etc/libvirt/qemu/<guest.xml>, after some time the guest will lock up and you will see SELinux denials

Expected results:
no denials

Additional info:

[root@farina ~]# lvs
  LV             VG        Attr   LSize   Origin    Snap%  Move Log Copy%  Convert
  LogVol03       vg_farina -wi-ao 156.25g                                         
  dirsrv8        vg_farina -wi-a-  10.00g                                         
  guest1         vg_farina -wi-a-  10.00g                                         
  lv_root        vg_farina -wi-ao  24.41g                                         
  lv_swap        vg_farina -wi-ao   2.00g                                         
  lv_var         vg_farina -wi-ao  19.53g                                         
  rhel52-1       vg_farina -wi-a-  10.00g                                         
  rhel52-2       vg_farina -wi-a-  10.00g                                         
  server102      vg_farina owi-a-  20.00g                                         
  server102-snap vg_farina swi-ao   2.00g server102   0.00                        
  station2       vg_farina owi-a-  20.00g                                         
  station2-snap  vg_farina swi-ao   2.00g station2    1.19  
[root@farina ~]# dmsetup info -c
Name                                      Maj Min Stat Open Targ Event  UUID                                                                                  
vg_farina-server102--snap                 253  14 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf5DbK4z5QhMxDD4iwANL1epyBryfGuHjo                  
vg_farina-lv_swap                         253   3 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfZAKmTBEfGDHyXjdjcd0ofntIjxcOyamc                  
vg_farina-lv_root                         253   2 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfEJznfX9Eb9AJNHGqzqo8FI93r372ngH1                  
vg_farina-LogVol03                        253   0 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfN3b9XVakjSTOXI4B7qApQPCN9l9uwWOm                  
luks-032780d5-3a73-4c3c-a427-b3e124473c0c 253   9 L--w    1    1      0 CRYPT-LUKS1-032780d53a734c3ca427b3e124473c0c-luks-032780d5-3a73-4c3c-a427-b3e124473c0c
vg_farina-rhel52--2                       253   5 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfDQtsEB8uteq0DeYIeGbwWiliBbCq6ljB                  
vg_farina-server102--snap-cow             253  16 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf5DbK4z5QhMxDD4iwANL1epyBryfGuHjo-cow              
vg_farina-rhel52--1                       253   4 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf6MhBzju77dkGpPo3E2wksD6OUKlFdLAu                  
vg_farina-lv_var                          253   1 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfqp9We2nshssyUVLXFV3HHAfpvTOllrXb                  
vg_farina-station2--snap-cow              253  12 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfJPzMCjuibVrNgBPinjlUS1DzZ2BnpwN1-cow              
vg_farina-station2-real                   253  11 L--w    2    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfTniFej7ytx2584G7iRlsVswM12lf5OiF-real             
vg_farina-guest1                          253   6 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfzPv3NB1zamYrMsKFlswux8hvuh1Ye7Yk                  
vg_farina-dirsrv8                         253   7 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf1ua6C7xpWoJzx2USxsPpfGprFW4PsYiS                  
vg_farina-station2--snap                  253  10 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfJPzMCjuibVrNgBPinjlUS1DzZ2BnpwN1                  
vg_farina-server102-real                  253  15 L--w    2    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfGkzFIxyua2sy5sxQbyVfdN0MKPq4hUQ0-real             
vg_farina-station2                        253   8 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfTniFej7ytx2584G7iRlsVswM12lf5OiF                  
vg_farina-server102                       253  13 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfGkzFIxyua2sy5sxQbyVfdN0MKPq4hUQ0                  
[root@farina ~]# ls -lZ /dev/vg_farina/station2
lrwxrwxrwx. root root system_u:object_r:device_t:s0    /dev/vg_farina/station2 -> ../dm-8
[root@farina ~]# ls -lZ /dev/vg_farina/station2-snap 
lrwxrwxrwx. root root system_u:object_r:device_t:s0    /dev/vg_farina/station2-snap -> ../dm-10
[root@farina ~]# ls -lZ /dev/dm-10
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10
[root@farina ~]# ls -lZ /dev/dm-8
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8
Comment 1 John Brier 2010-07-07 11:52:28 EDT
I meant to put this as the description:


SELinux is preventing qemu-kvm "write" access on /dev/dm-10.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c469,c844
Target Context                system_u:object_r:fixed_disk_device_t:s0
Target Objects                /dev/dm-10 [ blk_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          farina.dj.edm
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     farina.dj.edm
Platform                      Linux farina.dj.edm #1
                              SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   1277
First Seen                    Wed 07 Jul 2010 11:18:06 AM EDT
Last Seen                     Wed 07 Jul 2010 11:18:55 AM EDT
Local ID                      3f883c07-c279-4dc9-acd9-2e83f7475673
Line Numbers                  

Raw Audit Messages            

node=farina.dj.edm type=AVC msg=audit(1278515935.255:39984): avc:  denied  { write } for  pid=9210 comm="qemu-kvm" path="/dev/dm-10" dev=devtmpfs ino=86943 scontext=system_u:system_r:svirt_t:s0:c469,c844 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Comment 2 Daniel Walsh 2010-07-12 16:11:51 EDT
Check the label of /dev/dm-10 after you start the guest, it should be labeled something like svirt_image_t:s0:469,c844

If it is then this might be udev or someone running restorecon on the /dev.

If not then this is a libvirt bug.
Comment 3 Daniel Berrange 2010-07-13 08:50:46 EDT
There was a bug recently in udev blowing away the security context on devices, but not sure if its fixed in F13 or not offhand.
Comment 6 Harald Hoyer 2010-07-13 09:08:30 EDT
see also bug 571714
Comment 7 Daniel Berrange 2010-07-13 09:19:22 EDT
Yes, that's the bug/patch I was thinking of.
Comment 8 Fedora Update System 2010-08-04 09:08:22 EDT
udev-153-1.fc13 has been submitted as an update for Fedora 13.
Comment 9 Fedora Update System 2010-08-05 02:49:35 EDT
udev-153-2.fc13 has been submitted as an update for Fedora 13.
Comment 10 Fedora Update System 2010-08-05 19:48:39 EDT
udev-153-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update udev'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/udev-153-2.fc13
Comment 11 Fedora Update System 2010-08-13 04:39:24 EDT
udev-153-3.fc13 has been submitted as an update for Fedora 13.
Comment 12 Fedora Update System 2010-08-19 21:27:04 EDT
udev-153-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.