Bug 1301637 - SELinux is preventing /usr/libexec/qemu-kvm from read access on the file /var/db/nscd/group.
SELinux is preventing /usr/libexec/qemu-kvm from read access on the file /var...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
x86_64 Linux
low Severity low
: rc
: ---
Assigned To: Simon Sekidde
Jan Zarsky
:
Depends On:
Blocks: 1332116
  Show dependency treegraph
 
Reported: 2016-01-25 10:11 EST by Pat Riehecky
Modified: 2016-11-03 22:40 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-83.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1332116 (view as bug list)
Environment:
Last Closed: 2016-11-03 22:40:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pat Riehecky 2016-01-25 10:11:04 EST
Description of problem:
*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-kvm should be allowed read access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c11,c90
Target Context                system_u:object_r:nscd_var_run_t:s0
Target Objects                /var/db/nscd/group [ file ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Source RPM Packages           qemu-kvm-1.5.3-105.el7_2.1.x86_64
Target RPM Packages           nscd-2.17-106.el7_2.1.x86_64
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Platform                      Linux testify 3.10.0-327.4.4.el7.x86_64
                              #1 SMP Wed Jan 6 09:27:55 CST 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-01-25 08:58:52 CST
Last Seen                     2016-01-25 08:58:52 CST
Local ID                      4b4e54bd-7e5c-4967-8819-443bd0e8506a

Raw Audit Messages
type=AVC msg=audit(1453733932.598:22172): avc:  denied  { read } for  pid=2539 comm="qemu-kvm" path="/var/db/nscd/group" dev="sda3" ino=540812635 scontext=system_u:system_r:svirt_t:s0:c11,c90 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file


Version-Release number of selected component (if applicable):
Source RPM Packages           qemu-kvm-1.5.3-105.el7_2.1.x86_64
Target RPM Packages           nscd-2.17-106.el7_2.1.x86_64
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch

How reproducible:100%


Steps to Reproduce:
1.start nscd
2.run  /usr/libexec/qemu-kvm
3.

Actual results:
listed selinux error

Expected results:
no error

Additional info:
Comment 3 Miroslav Grepl 2016-02-12 01:17:55 EST
Pat,
are you able to reproduce it? Did it work correctly?
Comment 4 Pat Riehecky 2016-02-12 09:48:08 EST
qemu-kvm seems to work fine without the cached group information, but the logged selinux alert does add unexpected errors to the system logs.
Comment 13 errata-xmlrpc 2016-11-03 22:40:52 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.