Bug 1301637 - SELinux is preventing /usr/libexec/qemu-kvm from read access on the file /var/db/nscd/group.
Summary: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file /var...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Simon Sekidde
QA Contact: Jan Zarsky
URL:
Whiteboard:
Depends On:
Blocks: 1332116
TreeView+ depends on / blocked
 
Reported: 2016-01-25 15:11 UTC by Pat Riehecky
Modified: 2016-11-04 02:40 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-83.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1332116 (view as bug list)
Environment:
Last Closed: 2016-11-04 02:40:52 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Pat Riehecky 2016-01-25 15:11:04 UTC 
Description of problem:
*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-kvm should be allowed read access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c11,c90
Target Context                system_u:object_r:nscd_var_run_t:s0
Target Objects                /var/db/nscd/group [ file ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Source RPM Packages           qemu-kvm-1.5.3-105.el7_2.1.x86_64
Target RPM Packages           nscd-2.17-106.el7_2.1.x86_64
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Platform                      Linux testify 3.10.0-327.4.4.el7.x86_64
                              #1 SMP Wed Jan 6 09:27:55 CST 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-01-25 08:58:52 CST
Last Seen                     2016-01-25 08:58:52 CST
Local ID                      4b4e54bd-7e5c-4967-8819-443bd0e8506a

Raw Audit Messages
type=AVC msg=audit(1453733932.598:22172): avc:  denied  { read } for  pid=2539 comm="qemu-kvm" path="/var/db/nscd/group" dev="sda3" ino=540812635 scontext=system_u:system_r:svirt_t:s0:c11,c90 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file


Version-Release number of selected component (if applicable):
Source RPM Packages           qemu-kvm-1.5.3-105.el7_2.1.x86_64
Target RPM Packages           nscd-2.17-106.el7_2.1.x86_64
Policy RPM                    selinux-policy-3.13.1-60.el7.noarch

How reproducible:100%


Steps to Reproduce:
1.start nscd
2.run  /usr/libexec/qemu-kvm
3.

Actual results:
listed selinux error

Expected results:
no error

Additional info:
Comment 3 Miroslav Grepl 2016-02-12 06:17:55 UTC 
Pat,
are you able to reproduce it? Did it work correctly?
Comment 4 Pat Riehecky 2016-02-12 14:48:08 UTC 
qemu-kvm seems to work fine without the cached group information, but the logged selinux alert does add unexpected errors to the system logs.
Comment 13 errata-xmlrpc 2016-11-04 02:40:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.