Bug 968303

Summary:	Can't find the "detach" event for the auvirt command
Product:	Red Hat Enterprise Linux 7	Reporter:	zhenfeng wang <zhwang>
Component:	audit	Assignee:	Steve Grubb <sgrubb>
Status:	CLOSED NOTABUG	QA Contact:	Ondrej Moriš <omoris>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	ajia, berrange, dyuan, gsun, jdenemar, mgrepl, mmalik, mzhan, pkis, rbalakri
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	968304 (view as bug list)		Environment:
Last Closed:	2017-10-09 12:53:25 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1476406

Description zhenfeng wang 2013-05-29 12:28:03 UTC

Description of problem:
Can't find the "detach" event for the auvirt  command

Version-Release number of selected component (if applicable):
libvirt-1.0.5-2.el7.x86_64
kernel-3.9.0-0.55.el7.x86_64
qemu-kvm-1.4.0-4.el7.x86_64
libselinux-2.1.13-15.el7.x86_64
libselinux-utils-2.1.13-15.el7.x86_64
selinux-policy-targeted-3.12.1-46.el7.noarch
libselinux-python-2.1.13-15.el7.x86_64
selinux-policy-3.12.1-46.el7.noarch
audit-libs-2.3-2.el7.x86_64
audit-2.3-2.el7.x86_64
How reproducible:
100%

Steps
1. prepare a running guest
virsh list
 Id    Name                           State
----------------------------------------------------
 2     rhel7qcow2                     running

2.create a img
# qemu-img create -f qcow2 /var/lib/libvirt/images/test3.img 1G
Formatting '/var/lib/libvirt/images/test3.img', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off
3.attach the disk, then detach it
# virsh attach-disk rhel7qcow2 /var/lib/libvirt/images/test3.img vdb
Disk attached successfully

# virsh detach-disk rhel7qcow2 vdb
Disk detached successfully

4.check the audit log with ausearch, both the "attach" event and "detach"event can be found with ausearch command
# ausearch -m VIRT_RESOURCE --start recent |grep disk
type=VIRT_RESOURCE msg=audit(1369807593.539:511): pid=1720 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=attach vm="rhel7qcow2" uuid=5dc40c41-9ea2-4a44-9019-59dc56a1ef15 old-disk="?" new-disk="/var/lib/libvirt/images/test3.img" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

type=VIRT_RESOURCE msg=audit(1369807640.676:512): pid=1720 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=detach vm="rhel7qcow2" uuid=5dc40c41-9ea2-4a44-9019-59dc56a1ef15 old-disk="/var/lib/libvirt/images/test3.img" new-disk="?" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

5.check the audit log with auvirt again, we can just see the "attach" event ,can't find the "detach" event
# auvirt --all-events --start recent |grep disk
res   rhel7qcow2                       root               Wed May 29 14:06 - 14:07  (00:00)          disk                attach            /var/lib/libvirt/images/test3.img

6.this didn't work for "net" either.

7.the rhel6 has the same issue also.

Actual results:
Can't find the "detach" event with auvirt command

Expected results:
should find the "detach" event successfully ,which just like the "attach" event

Comment 2 Miroslav Grepl 2013-06-03 19:59:39 UTC

Any AVC messages?

Comment 3 zhenfeng wang 2013-06-04 01:35:23 UTC

Hi Miroslav
sorry to don't find any AVC messages in the audit.log

Comment 4 Miroslav Grepl 2013-10-03 21:05:14 UTC

Are you still getting this issue?

Comment 5 zhenfeng wang 2014-02-19 11:04:14 UTC

Hi Miroslav
I'm so sorry to reply you so late , since i miss your needinfo before, i just re-test the comment0's steps with my latest environment, find that i can still hit this issue, and i found that it'll generate a deny event while i check the audit log with auvirt command after i detach the disk. I miss this event previous, I hope you help me have a look, thanks. BTW, since i can still reproduce this issue, so i think that we'd better re-open this bug, right ?

pkg info
qemu-kvm-rhev-1.5.3-47.el7.x86_64
libvirt-1.1.1-23.el7.x86_64
kernel-3.10.0-87.el7.x86_64
selinux-policy-3.12.1-125.el7.noarch
libselinux-2.2.2-5.el7.x86_64

steps
1. prepare a running guest
virsh list
 Id    Name                           State
----------------------------------------------------
 2     rhel75                       running

2.create a img
# qemu-img create -f qcow2 /var/lib/libvirt/images/test.img 1G
Formatting '/var/lib/libvirt/images/test.img', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off
3.attach the disk, then detach it
# virsh attach-disk rhel7qcow2 /var/lib/libvirt/images/test.img vdb
Disk attached successfully

# virsh detach-disk rhel75 vdb
Disk detached successfully

4.check the audit log with ausearch, both the "attach" event and "detach"event can be found with ausearch command, Meanwhile i also find a deny log afer i detach the disk

# ausearch -m VIRT_RESOURCE --start recent 
time->Wed Feb 19 18:59:18 2014
type=VIRT_RESOURCE msg=audit(1392807558.592:8018): pid=5234 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=attach vm="rhel75" uuid=4f43c3bd-249c-428e-8a67-f55f95916b1d old-disk="?" new-disk="/var/lib/libvirt/images/test.img" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
----
time->Wed Feb 19 18:59:50 2014
type=VIRT_RESOURCE msg=audit(1392807590.744:8036): pid=5234 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=detach vm="rhel75" uuid=4f43c3bd-249c-428e-8a67-f55f95916b1d old-disk="/var/lib/libvirt/images/test.img" new-disk="?" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
----
time->Wed Feb 19 18:59:50 2014
type=VIRT_RESOURCE msg=audit(1392807590.745:8037): pid=5234 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=cgroup reason=deny vm="rhel75" uuid=4f43c3bd-249c-428e-8a67-f55f95916b1d cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2drhel75.scope/" class=path path="/var/lib/libvirt/images/test.img" rdev=? acl=rwm exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'


5.check the audit log with auvirt again, we can just see the "attach" event ,can't find the "detach" event, however, find a deny event after i did the detach operation 

# auvirt --all-events --start recent
res   rhel75                   	root       	Wed Feb 19 18:42 - 18:42  (00:00)  	disk        	attach    	/var/lib/libvirt/images/test.img
res   rhel75                   	root       	Wed Feb 19 18:42                   	cgroup      	deny      	path	rwm	/var/lib/libvirt/images/test.img


6.Didn't find any avc during i test the upper steps

Comment 6 zhenfeng wang 2014-03-31 07:56:11 UTC

Re-try the comment5's operation with the latest env, still hit the issue, so re-open this bug 

pkg info
libvirt-1.1.1-29.el7.x86_64
qemu-kvm-rhev-1.5.3-59.el7ev.x86_64
kernel-3.10.0-115.el7.x86_64
selinux-policy-3.12.1-148.el7.noarch

Comment 7 Miroslav Grepl 2014-03-31 08:10:08 UTC

1. Does it work in permissive mode?

# setenforce 0

2. If yes, please re-test it with

# semodule -DB
# ausearch -m avc,user_avc -ts recent
# grep invalid /var/log/messages

Comment 8 zhenfeng wang 2014-03-31 08:49:11 UTC

Hi Miroslav
it didn't work in permissive mode and i got the same result with testing in enforcing mode as comment5 description

Comment 9 Miroslav Grepl 2014-03-31 08:51:21 UTC

If it does not work in permissive mode then it is not SELinux issue.

Comment 10 Daniel Berrangé 2014-03-31 09:51:44 UTC

Err the detach event is right there in the logs you quoted. see reason=detach here

time->Wed Feb 19 18:59:50 2014
type=VIRT_RESOURCE msg=audit(1392807590.744:8036): pid=5234 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=detach vm="rhel75" uuid=4f43c3bd-249c-428e-8a67-f55f95916b1d old-disk="/var/lib/libvirt/images/test.img" new-disk="?" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'

Comment 11 Jiri Denemark 2014-03-31 13:34:39 UTC

Libvirt correctly logs the event, no idea why auvirt doesn't show it.

Comment 12 RHEL Program Management 2014-04-08 05:48:25 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 15 Steve Grubb 2017-09-22 21:29:20 UTC

What it looks like it does is finds the attach record, update the time, and add a proof. This way it gives you the time usage of a resource. So, I don't think it was meant to issue a detach just like there are no stop events for resources. I'll compare this with aulast to see how it handles sessions. I don't think you get logout events. 

Perhaps removing the whole reason column is the answer?

Comment 16 Steve Grubb 2017-10-09 12:53:25 UTC

I'm going to close this as an explained condition. If anyone has questions, please let me know.