Bug 734281
Summary: | SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the arquivo /home/cesarb/.libvirt/qemu/log/FreeDOS.log. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Cesar Eduardo Barros <cesarb> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | berrange, bgilbert, dominick.grift, dwalsh, lmacken, mgrepl | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | setroubleshoot_trace_hash:759f8ccfd5b5c64cc11fd9073669da063356f2079a871145ee16eb0bc9af3d12 | ||||||
Fixed In Version: | selinux-policy-3.9.16-48.fc15 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-04-04 16:23:13 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Cesar Eduardo Barros
2011-08-30 01:02:23 UTC
This was while attempting to create a VM using virt-manager and qemu:///session. Note that I did a restorecon -R ~/.libvirt (but the same problem happened before it). This is the first of a pair of AVCs, I will paste the other AVC in the next comment. SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the diretório lib. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that qemu-kvm should be allowed write access on the lib directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c126,c595 Target Context unconfined_u:object_r:virt_home_t:s0 Target Objects lib [ dir ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Desconhecido> Host (removed) Source RPM Packages qemu-system-x86-0.14.0-7.fc15 Target RPM Packages filesystem-2.4.41-1.fc15 Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.3-0.fc15.x86_64 #1 SMP Tue Aug 16 04:10:59 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Seg 29 Ago 2011 21:58:36 BRT Last Seen Seg 29 Ago 2011 21:58:36 BRT Local ID cc154ef9-0c45-41bd-8c9e-88e1c87a2efd Raw Audit Messages type=AVC msg=audit(1314665916.793:132): avc: denied { write } for pid=8267 comm="qemu-kvm" name="lib" dev=dm-3 ino=983735 scontext=system_u:system_r:svirt_t:s0:c126,c595 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=dir type=SYSCALL msg=audit(1314665916.793:132): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7fff2a341e50 a2=6e a3=7fff2a341be0 items=0 ppid=1 pid=8267 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c126,c595 key=(null) Hash: qemu-kvm,svirt_t,virt_home_t,dir,write audit2allow #============= svirt_t ============== #!!!! The source type 'svirt_t' can write to a 'dir' of the following types: # virt_cache_t, var_run_t, qemu_var_run_t, tmp_t, svirt_tmp_t, tmpfs_t, var_t, hugetlbfs_t, svirt_image_t, svirt_tmpfs_t, dosfs_t allow svirt_t virt_home_t:dir write; audit2allow -R #============= svirt_t ============== #!!!! The source type 'svirt_t' can write to a 'dir' of the following types: # virt_cache_t, var_run_t, qemu_var_run_t, tmp_t, svirt_tmp_t, tmpfs_t, var_t, hugetlbfs_t, svirt_image_t, svirt_tmpfs_t, dosfs_t allow svirt_t virt_home_t:dir write; Not sure if part of this is a libvirt problem? Dan should I allow these access, The log file as an inherited file descriptor? Shouldn't it be append access? The second one looks like the qemu is trying to create something within a lib directory? (In reply to comment #3) > The second one looks like the qemu is trying to create something within a lib > directory? I am guessing this directory is .libvirt/qemu/lib, since virt_home_t is the label for ~/.libvirt (set by restorecon): $ find .libvirt/ -name lib .libvirt/qemu/lib $ ls -laZ .libvirt/qemu/lib drwxrwxr-x. cesarb cesarb unconfined_u:object_r:virt_home_t:s0 . drwxrwxr-x. cesarb cesarb unconfined_u:object_r:virt_home_t:s0 .. Yes but what is qemu trying to create in that directory? I think we had the similar bug on RHEL6. I am finding it. selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15 Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. I'm hitting this with the latest Fedora 17 pre-release with selinux-policy-3.10.0-106.fc17.noarch Created attachment 575175 [details]
setroubleshoot output
Fresh F17 pre-beta install.
Opened up "boxes" and pointed it at a downloaded ISO.
*boom*
Looks like a qemu bug... filed as Bug #809910 Luke check out 809910 |