Bug 451673 - SELinux prevented qemu-kvm from reading files stored on a NFS filesytem.
SELinux prevented qemu-kvm from reading files stored on a NFS filesytem.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-16 12:20 EDT by Martin Nagy
Modified: 2016-07-26 19:47 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:04:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Nagy 2008-06-16 12:20:00 EDT
Description of problem:
SELinux is preventing qemu-kvm access to NFS filesystem when I was installing a
new system and wanted to use a DVD iso for installation, which was placed on a
NFS filesystem.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-55.fc9

How reproducible:
Install a new machine and use a DVD iso placed on a NFS filesystem.
  
Actual results:
Raw Audit Messages:
host=wolverine type=AVC msg=audit(1213015944.378:993): avc: denied { read } for
pid=13007 comm="qemu" name="Fedora-9-i386-DVD.iso" dev=0:16 ino=4398103
scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=file host=wolverine type=SYSCALL msg=audit(1213015944.378:993):
arch=c000003e syscall=2 success=yes exit=4 a0=7fff07efae20 a1=0 a2=1a4
a3=39edf67a70 items=0 ppid=12358 pid=13007 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=22 comm="qemu" exe="/usr/bin/qemu"
subj=unconfined_u:system_r:qemu_t:s0 key=(null) 

Some more:
Raw Audit Messages:
host=wolverine type=AVC msg=audit(1213015944.378:992): avc: denied { read } for
pid=13007 comm="qemu" name="i386" dev=0:16 ino=6956855
scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=lnk_file host=wolverine type=AVC msg=audit(1213015944.378:992): avc:
denied { getattr } for pid=13007 comm="qemu"
path="/mnt/mirror/fedora/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso" dev=0:16
ino=4398103 scontext=unconfined_u:system_r:qemu_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file host=wolverine type=SYSCALL
msg=audit(1213015944.378:992): arch=c000003e syscall=4 success=yes exit=0
a0=7fff07efae20 a1=7fff07ef8410 a2=7fff07ef8410 a3=0 items=0 ppid=12358
pid=13007 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=22 comm="qemu" exe="/usr/bin/qemu"
subj=unconfined_u:system_r:qemu_t:s0 key=(null) 

Expected results:
No such messages.

Additional info:
Comment 1 Daniel Walsh 2008-06-22 08:20:40 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-68.fc9.noarch
Comment 2 Daniel Walsh 2008-11-17 17:04:40 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.