Bug 451673 - SELinux prevented qemu-kvm from reading files stored on a NFS filesytem.
Summary: SELinux prevented qemu-kvm from reading files stored on a NFS filesytem.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-16 16:20 UTC by Martin Nagy
Modified: 2016-07-26 23:47 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:04:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Martin Nagy 2008-06-16 16:20:00 UTC 
Description of problem:
SELinux is preventing qemu-kvm access to NFS filesystem when I was installing a
new system and wanted to use a DVD iso for installation, which was placed on a
NFS filesystem.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-55.fc9

How reproducible:
Install a new machine and use a DVD iso placed on a NFS filesystem.
  
Actual results:
Raw Audit Messages:
host=wolverine type=AVC msg=audit(1213015944.378:993): avc: denied { read } for
pid=13007 comm="qemu" name="Fedora-9-i386-DVD.iso" dev=0:16 ino=4398103
scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=file host=wolverine type=SYSCALL msg=audit(1213015944.378:993):
arch=c000003e syscall=2 success=yes exit=4 a0=7fff07efae20 a1=0 a2=1a4
a3=39edf67a70 items=0 ppid=12358 pid=13007 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=22 comm="qemu" exe="/usr/bin/qemu"
subj=unconfined_u:system_r:qemu_t:s0 key=(null) 

Some more:
Raw Audit Messages:
host=wolverine type=AVC msg=audit(1213015944.378:992): avc: denied { read } for
pid=13007 comm="qemu" name="i386" dev=0:16 ino=6956855
scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=lnk_file host=wolverine type=AVC msg=audit(1213015944.378:992): avc:
denied { getattr } for pid=13007 comm="qemu"
path="/mnt/mirror/fedora/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso" dev=0:16
ino=4398103 scontext=unconfined_u:system_r:qemu_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file host=wolverine type=SYSCALL
msg=audit(1213015944.378:992): arch=c000003e syscall=4 success=yes exit=0
a0=7fff07efae20 a1=7fff07ef8410 a2=7fff07ef8410 a3=0 items=0 ppid=12358
pid=13007 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=22 comm="qemu" exe="/usr/bin/qemu"
subj=unconfined_u:system_r:qemu_t:s0 key=(null) 

Expected results:
No such messages.

Additional info:
Comment 1 Daniel Walsh 2008-06-22 12:20:40 UTC 
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-68.fc9.noarch
Comment 2 Daniel Walsh 2008-11-17 22:04:40 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.