RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1340483 - libvirt to do/have allow svirt_t default_t:lnk_file read;
Summary: libvirt to do/have allow svirt_t default_t:lnk_file read;
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-27 14:03 UTC by lejeczek
Modified: 2021-08-11 11:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-17 08:10:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description lejeczek 2016-05-27 14:03:42 UTC 
Description of problem:

guest cannot be started when path uses a soft link.

it would be nice to have a boolean for this.
Or is it deemed security risk?
regards

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2016-05-30 12:32:20 UTC 
Could you attach raw AVC messages?

Thank you.
Comment 3 lejeczek 2016-05-31 10:58:18 UTC 
time->Tue May 31 11:55:55 2016
type=SYSCALL msg=audit(1464692155.089:91510): arch=c000003e syscall=2 success=no exit=-13 a0=7ff7860aebd0 a1=80800 a2=0 a3=316e69772f737473 items=0 ppid=1 pid=51393 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c162,c484 key=(null)
type=AVC msg=audit(1464692155.089:91510): avc:  denied  { read } for  pid=51393 comm="qemu-kvm" name="someGuests" dev="dm-0" ino=390147 scontext=system_u:system_r:svirt_t:s0:c162,c484 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
----
time->Tue May 31 11:55:55 2016
type=SYSCALL msg=audit(1464692155.089:91511): arch=c000003e syscall=4 success=no exit=-13 a0=7ff7860aebd0 a1=7ffe39f52d50 a2=7ffe39f52d50 a3=316e69772f737473 items=0 ppid=1 pid=51393 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c162,c484 key=(null)
type=AVC msg=audit(1464692155.089:91511): avc:  denied  { read } for  pid=51393 comm="qemu-kvm" name="someGuests" dev="dm-0" ino=390147 scontext=system_u:system_r:svirt_t:s0:c162,c484 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
----
time->Tue May 31 11:55:55 2016
type=SYSCALL msg=audit(1464692155.089:91512): arch=c000003e syscall=2 success=no exit=-13 a0=7ff7860aee70 a1=80002 a2=0 a3=316e69772f737473 items=0 ppid=1 pid=51393 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c162,c484 key=(null)
type=AVC msg=audit(1464692155.089:91512): avc:  denied  { read } for  pid=51393 comm="qemu-kvm" name="someGuests" dev="dm-0" ino=390147 scontext=system_u:system_r:svirt_t:s0:c162,c484 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file
Comment 4 Miroslav Grepl 2016-06-29 08:05:57 UTC 
What is a path to "someGuests". I believe we want to add labeling for that to avoid having this as a default rule in the policy.
Comment 6 Lukas Vrabec 2017-08-17 08:10:12 UTC 
This issue could be fixed using local SELinux modification. 
Please use following command:
# fcontext -a -e /var/lib/libvirt/images "path to SomeGuests dir"
# restorecon -Rv "Path to SomeGuests"

Thanks,
Lukas.
Comment 7 lejeczek 2021-08-11 11:53:43 UTC 
ok
Note You need to log in before you can comment on or make changes to this bug.