Description of problem: Two AVC Denials: 1) Souhrn: SELinux is preventing qemu-kvm (qemu_t) "read" to ./RHEL5.1-Client-20071017.0-i386-DVD.iso (xen_image_t). Podrobný popis: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./RHEL5.1-Client-20071017.0-i386-DVD.iso, restorecon -v './RHEL5.1-Client-20071017.0-i386-DVD.iso' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:qemu_t Kontext cíle system_u:object_r:xen_image_t Objekty cíle ./RHEL5.1-Client-20071017.0-i386-DVD.iso [ file ] Zdroj qemu-kvm Cesta zdroje /usr/bin/qemu-kvm Port <Neznámé> Počítač viklef RPM balíčky zdroje kvm-65-7.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-64.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun 10 16:27:49 EDT 2008 i686 i686 Počet uporoznění 3 Poprvé viděno Út 17. červen 2008, 10:23:34 CEST Naposledy viděno Út 17. červen 2008, 10:29:02 CEST Místní ID aed6bde5-fc6f-4afa-8c9f-eff953ef23e5 Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1213691342.145:7896): avc: denied { read } for pid=25572 comm="qemu-kvm" name="RHEL5.1-Client-20071017.0-i386-DVD.iso" dev=dm-0 ino=1274897 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:xen_image_t:s0 tclass=file host=viklef type=SYSCALL msg=audit(1213691342.145:7896): arch=40000003 syscall=5 success=no exit=-13 a0=bfe2a010 a1=8000 a2=0 a3=8000 items=0 ppid=2372 pid=25572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) 2) Souhrn: SELinux is preventing qemu-kvm (qemu_t) "getattr" to /var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso (xen_image_t). Podrobný popis: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso, restorecon -v '/var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:qemu_t Kontext cíle system_u:object_r:xen_image_t Objekty cíle /var/lib/xen/images/RHEL5.1-Client-20071017.0-i386 -DVD.iso [ file ] Zdroj qemu-kvm Cesta zdroje /usr/bin/qemu-kvm Port <Neznámé> Počítač viklef RPM balíčky zdroje kvm-65-7.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-64.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun 10 16:27:49 EDT 2008 i686 i686 Počet uporoznění 3 Poprvé viděno Út 17. červen 2008, 10:23:34 CEST Naposledy viděno Út 17. červen 2008, 10:29:02 CEST Místní ID 5a5585fb-2aab-484f-8474-7841361d27dd Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1213691342.145:7895): avc: denied { getattr } for pid=25572 comm="qemu-kvm" path="/var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso" dev=dm-0 ino=1274897 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:xen_image_t:s0 tclass=file host=viklef type=SYSCALL msg=audit(1213691342.145:7895): arch=40000003 syscall=195 success=no exit=-13 a0=bfe2a010 a1=bfe27660 a2=5a4ff4 a3=a2c0168 items=0 ppid=2372 pid=25572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
Created attachment 309587 [details] complete audit.log Although I believe that my labels should be all right, there is a host of other AVC denials, so much so that using virtual machines is possible only in the Permissive mode.
Fixed in selinux-policy-3.3.1-68.fc9.noarch
I get the same errors with selinux-policy-3.3.1-91.fc9.noarch. Summary: SELinux is preventing the qemu-kvm from using potentially mislabeled files (./Fedora-9-x86_64-Live.iso). Detailed Description: SELinux has denied qemu-kvm access to potentially mislabeled file(s) (./Fedora-9-x86_64-Live.iso). This means that SELinux will not allow qemu-kvm to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want qemu-kvm to access this files, you need to relabel them using restorecon -v './Fedora-9-x86_64-Live.iso'. You might want to relabel the entire directory using restorecon -R -v '.'. Additional Information: Source Context system_u:system_r:qemu_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects ./Fedora-9-x86_64-Live.iso [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host adrenaline.localdomain Source RPM Packages kvm-65-9.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-91.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name adrenaline.localdomain Platform Linux adrenaline.localdomain 2.6.26.3-29.fc9.x86_64 #1 SMP Wed Sep 3 03:16:37 EDT 2008 x86_64 x86_64 Alert Count 3 First Seen Wed 01 Oct 2008 10:41:30 AM EET Last Seen Wed 01 Oct 2008 08:33:24 PM EET Local ID 6b5d01f9-32d3-4af0-918c-f855e4d11049 Line Numbers Raw Audit Messages host=adrenaline.localdomain type=AVC msg=audit(1222886004.609:1914): avc: denied { read } for pid=9735 comm="qemu-kvm" name="Fedora-9-x86_64-Live.iso" dev=dm-2 ino=308137 scontext=system_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=adrenaline.localdomain type=SYSCALL msg=audit(1222886004.609:1914): arch=c000003e syscall=2 success=no exit=-13 a0=7fff12ae7a40 a1=0 a2=1a4 a3=33d6d67a70 items=0 ppid=3305 pid=9735 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
You need to change the label on the image to virt_image_t. We do not want to allow a virtual image to read your home directories.
Yeah I thought to apply the same as the one with bug #454893 This did the trick, thanks D.
This has been fixed for a while in F9. Closing.