Bug 627775

Summary: O SELinux está impedindo que o /usr/bin/qemu-kvm acesse um descritor de arquivo vazado do /home/cesarb/.libvirt/qemu/log/boot.kernel.org.log.
Product: [Fedora] Fedora Reporter: Cesar Eduardo Barros <cesarb>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: berrange, clalance, crobinso, dwalsh, hafflys, itamar, jforbes, mgrepl, oliver.henshaw, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e6a139fc1a11f58b26f0fa2c50ae2d177a1c08eaf1990dcd8c794646e9d5d906
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-10 18:14:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cesar Eduardo Barros 2010-08-26 23:05:34 UTC 
Sumário:

O SELinux está impedindo que o /usr/bin/qemu-kvm acesse um descritor de arquivo
vazado do /home/cesarb/.libvirt/qemu/log/boot.kernel.org.log.

Descrição detalhada:

[qemu-kvm tem um tipo permissivo (svirt_t). Esse acesso não foi negado.]

O SELinux impediu o acesso requisitado pelo comando qemu-kvm. Parece que isso é
um descritor vazado ou uma saída que foi direcionada para um arquivo que não
é permitido de ser acessado. Os vazamentos normalmente podem ser ignorados já
que o SELinux apenas está os fechando e relatando o erro. Se o aplicativo não
usa esse descritor, ele irá executar apropriadamente. Se esse for um
redirecionamento, você não obterá uma saída no
/home/cesarb/.libvirt/qemu/log/boot.kernel.org.log. Você deve gerar um bugzilla
para o selinux-policy e ele será encaminhado para o pacote apropriado. Você
pode ignorar seguramente

Permitindo acesso:

Você pode gerar um módulo de política local para permitir este acesso - veja
o FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Informações adicionais:

Contexto de origem            system_u:system_r:svirt_t:s0:c162,c557
Contexto de destino           unconfined_u:object_r:user_home_t:s0
Objetos de destino            /home/cesarb/.libvirt/qemu/log/boot.kernel.org.log
                              [ file ]
Origem                        qemu-kvm
Caminho da origem             /usr/bin/qemu-kvm
Porta                         <Desconhecido>
Máquina                      (removido)
Pacotes RPM de origem         qemu-system-x86-0.12.5-1.fc13
Pacotes RPM de destino        
RPM da política              selinux-policy-3.7.19-49.fc13
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                leaks
Nome da máquina              (removido)
Plataforma                    Linux (removido) 2.6.35.3 #9
                              SMP Fri Aug 20 19:44:29 BRT 2010 x86_64 x86_64
Contador de alertas           2
Visto pela primeira vez em    Qui 26 Ago 2010 20:00:03 BRT
Visto pela última vez em     Qui 26 Ago 2010 20:00:03 BRT
ID local                      c1b89d88-b2be-4dc1-8b59-69af56211190
Números de linha             

Mensagens de auditoria não p 

node=(removido) type=AVC msg=audit(1282863603.482:27682): avc:  denied  { write } for  pid=3990 comm="qemu-kvm" path="/home/cesarb/.libvirt/qemu/log/boot.kernel.org.log" dev=dm-3 ino=1435208 scontext=system_u:system_r:svirt_t:s0:c162,c557 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removido) type=AVC msg=audit(1282863603.482:27682): avc:  denied  { write } for  pid=3990 comm="qemu-kvm" path="/home/cesarb/.libvirt/qemu/log/boot.kernel.org.log" dev=dm-3 ino=1435208 scontext=system_u:system_r:svirt_t:s0:c162,c557 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removido) type=SYSCALL msg=audit(1282863603.482:27682): arch=c000003e syscall=59 success=yes exit=0 a0=7f1c5c0057a0 a1=7f1c5c0081a0 a2=7f1c5c005610 a3=7f1c6affafe0 items=0 ppid=1 pid=3990 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c162,c557 key=(null)



Hash String generated from  leaks,qemu-kvm,svirt_t,user_home_t,file,write
audit2allow suggests:

#============= svirt_t ==============
allow svirt_t user_home_t:file write;
Comment 1 Cesar Eduardo Barros 2010-08-26 23:14:43 UTC 
I am using qemu:///session, which seems to use ~/.libvirt by default.
Comment 2 Daniel Walsh 2010-08-27 00:26:47 UTC 
This file should be opened for append.

Not sure why log files are being stored in the homedir.  We will need to set up a label for this directory.
Comment 3 Cesar Eduardo Barros 2010-08-27 10:30:42 UTC 
(In reply to comment #2)
> Not sure why log files are being stored in the homedir.  We will need to set up
> a label for this directory.

qemu:///session runs as the user, which would explain why everything is on ~ instead of on a system location. It is not only log files.

Oddly, I vaguely recall using restorecon on a F12 machine to set up the correct label on this directory (restorecon -Rv ~/.libvirt/); it used svirt_var_run_t for ~/.libvirt/qemu and descendents. I have no idea why it did not work on F13 (the same command does nothing here). See what happens on F12:

$ chcon -t user_home_t .libvirt/qemu/
$ restorecon -Rv ~/.libvirt/
restorecon reset /home/cesarb/.libvirt/qemu context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:svirt_var_run_t:s0
Comment 4 Daniel Walsh 2010-08-27 15:08:37 UTC 
Yes this seems we lost this functionality.

Miroslav, I suggest we add a new type virt_home_t.  And label this ~/.libvirt and its subdirs as virt_home_t.

In F12 we had dontaudit write to this dir for svirt_t,  If libvirt would fix the logs to be append, then we could allow this access.  If this is a qemu issue, we could add another label to the logs directory virt_logs_home_t and allow svirt_t to write there.
Comment 5 Bug Zapper 2011-05-31 15:21:46 UTC 
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Cole Robinson 2011-06-10 18:14:23 UTC 
Pretty sure this is fixed in F15.