Bug 734281
| Summary: | SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the arquivo /home/cesarb/.libvirt/qemu/log/FreeDOS.log. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Cesar Eduardo Barros <cesarb> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 17 | CC: | berrange, bgilbert, dominick.grift, dwalsh, lmacken, mgrepl | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:759f8ccfd5b5c64cc11fd9073669da063356f2079a871145ee16eb0bc9af3d12 | ||||||
| Fixed In Version: | selinux-policy-3.9.16-48.fc15 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-04-04 16:23:13 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This was while attempting to create a VM using virt-manager and qemu:///session. Note that I did a restorecon -R ~/.libvirt (but the same problem happened before it). This is the first of a pair of AVCs, I will paste the other AVC in the next comment. SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the diretório lib.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that qemu-kvm should be allowed write access on the lib directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:svirt_t:s0:c126,c595
Target Context unconfined_u:object_r:virt_home_t:s0
Target Objects lib [ dir ]
Source qemu-kvm
Source Path /usr/bin/qemu-kvm
Port <Desconhecido>
Host (removed)
Source RPM Packages qemu-system-x86-0.14.0-7.fc15
Target RPM Packages filesystem-2.4.41-1.fc15
Policy RPM selinux-policy-3.9.16-35.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed)
2.6.40.3-0.fc15.x86_64 #1 SMP Tue Aug 16 04:10:59
UTC 2011 x86_64 x86_64
Alert Count 1
First Seen Seg 29 Ago 2011 21:58:36 BRT
Last Seen Seg 29 Ago 2011 21:58:36 BRT
Local ID cc154ef9-0c45-41bd-8c9e-88e1c87a2efd
Raw Audit Messages
type=AVC msg=audit(1314665916.793:132): avc: denied { write } for pid=8267 comm="qemu-kvm" name="lib" dev=dm-3 ino=983735 scontext=system_u:system_r:svirt_t:s0:c126,c595 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1314665916.793:132): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7fff2a341e50 a2=6e a3=7fff2a341be0 items=0 ppid=1 pid=8267 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c126,c595 key=(null)
Hash: qemu-kvm,svirt_t,virt_home_t,dir,write
audit2allow
#============= svirt_t ==============
#!!!! The source type 'svirt_t' can write to a 'dir' of the following types:
# virt_cache_t, var_run_t, qemu_var_run_t, tmp_t, svirt_tmp_t, tmpfs_t, var_t, hugetlbfs_t, svirt_image_t, svirt_tmpfs_t, dosfs_t
allow svirt_t virt_home_t:dir write;
audit2allow -R
#============= svirt_t ==============
#!!!! The source type 'svirt_t' can write to a 'dir' of the following types:
# virt_cache_t, var_run_t, qemu_var_run_t, tmp_t, svirt_tmp_t, tmpfs_t, var_t, hugetlbfs_t, svirt_image_t, svirt_tmpfs_t, dosfs_t
allow svirt_t virt_home_t:dir write;
Not sure if part of this is a libvirt problem? Dan should I allow these access, The log file as an inherited file descriptor? Shouldn't it be append access? The second one looks like the qemu is trying to create something within a lib directory? (In reply to comment #3) > The second one looks like the qemu is trying to create something within a lib > directory? I am guessing this directory is .libvirt/qemu/lib, since virt_home_t is the label for ~/.libvirt (set by restorecon): $ find .libvirt/ -name lib .libvirt/qemu/lib $ ls -laZ .libvirt/qemu/lib drwxrwxr-x. cesarb cesarb unconfined_u:object_r:virt_home_t:s0 . drwxrwxr-x. cesarb cesarb unconfined_u:object_r:virt_home_t:s0 .. Yes but what is qemu trying to create in that directory? I think we had the similar bug on RHEL6. I am finding it. selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15 Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. I'm hitting this with the latest Fedora 17 pre-release with selinux-policy-3.10.0-106.fc17.noarch Created attachment 575175 [details]
setroubleshoot output
Fresh F17 pre-beta install.
Opened up "boxes" and pointed it at a downloaded ISO.
*boom*
Looks like a qemu bug... filed as Bug #809910 Luke check out 809910 |
SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the arquivo /home/cesarb/.libvirt/qemu/log/FreeDOS.log. ***** Plugin catchall (50.5 confidence) suggests *************************** If you believe that qemu-kvm should be allowed write access on the FreeDOS.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ***** Plugin leaks (50.5 confidence) suggests ****************************** If you want to ignore qemu-kvm trying to write access the FreeDOS.log file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/bin/qemu-kvm /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c126,c595 Target Context unconfined_u:object_r:virt_home_t:s0 Target Objects /home/cesarb/.libvirt/qemu/log/FreeDOS.log [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Desconhecido> Host (removed) Source RPM Packages qemu-system-x86-0.14.0-7.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-35.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.3-0.fc15.x86_64 #1 SMP Tue Aug 16 04:10:59 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Seg 29 Ago 2011 21:58:36 BRT Last Seen Seg 29 Ago 2011 21:58:36 BRT Local ID cd767141-ee82-42b2-8eb1-a0b5678ba517 Raw Audit Messages type=AVC msg=audit(1314665916.772:131): avc: denied { write } for pid=8267 comm="qemu-kvm" path="/home/cesarb/.libvirt/qemu/log/FreeDOS.log" dev=dm-3 ino=983752 scontext=system_u:system_r:svirt_t:s0:c126,c595 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file type=AVC msg=audit(1314665916.772:131): avc: denied { write } for pid=8267 comm="qemu-kvm" path="/home/cesarb/.libvirt/qemu/log/FreeDOS.log" dev=dm-3 ino=983752 scontext=system_u:system_r:svirt_t:s0:c126,c595 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file type=SYSCALL msg=audit(1314665916.772:131): arch=x86_64 syscall=execve success=yes exit=0 a0=7fba7809f440 a1=7fba78001980 a2=7fba7809edb0 a3=7fba96f1aa50 items=0 ppid=1 pid=8267 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c126,c595 key=(null) Hash: qemu-kvm,svirt_t,virt_home_t,file,write audit2allow #============= svirt_t ============== allow svirt_t virt_home_t:file write; audit2allow -R #============= svirt_t ============== allow svirt_t virt_home_t:file write;