Bug 451763 - SELinux is preventing qemu-kvm (qemu_t) "read" to ./RHEL5.1-Client-20071017.0-i386-DVD.iso (xen_image_t).
SELinux is preventing qemu-kvm (qemu_t) "read" to ./RHEL5.1-Client-20071017.0...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: python-virtinst (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Berrange
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-17 04:41 EDT by Matěj Cepl
Modified: 2008-11-25 09:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-25 09:38:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
complete audit.log (3.57 MB, text/plain)
2008-06-17 06:27 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-06-17 04:41:31 EDT
Description of problem:
Two AVC Denials:

1) 

Souhrn:

SELinux is preventing qemu-kvm (qemu_t) "read" to
./RHEL5.1-Client-20071017.0-i386-DVD.iso (xen_image_t).

Podrobný popis:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./RHEL5.1-Client-20071017.0-i386-DVD.iso,

restorecon -v './RHEL5.1-Client-20071017.0-i386-DVD.iso'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:qemu_t
Kontext cíle                 system_u:object_r:xen_image_t
Objekty cíle                 ./RHEL5.1-Client-20071017.0-i386-DVD.iso [ file ]
Zdroj                         qemu-kvm
Cesta zdroje                  /usr/bin/qemu-kvm
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          kvm-65-7.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-64.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun
                              10 16:27:49 EDT 2008 i686 i686
Počet uporoznění           3
Poprvé viděno               Út 17. červen 2008, 10:23:34 CEST
Naposledy viděno             Út 17. červen 2008, 10:29:02 CEST
Místní ID                   aed6bde5-fc6f-4afa-8c9f-eff953ef23e5
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1213691342.145:7896): avc:  denied  { read } for
 pid=25572 comm="qemu-kvm" name="RHEL5.1-Client-20071017.0-i386-DVD.iso"
dev=dm-0 ino=1274897 scontext=system_u:system_r:qemu_t:s0
tcontext=system_u:object_r:xen_image_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1213691342.145:7896): arch=40000003 syscall=5
success=no exit=-13 a0=bfe2a010 a1=8000 a2=0 a3=8000 items=0 ppid=2372 pid=25572
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm"
subj=system_u:system_r:qemu_t:s0 key=(null)

2)

Souhrn:

SELinux is preventing qemu-kvm (qemu_t) "getattr" to
/var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso (xen_image_t).

Podrobný popis:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
/var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso,

restorecon -v '/var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:qemu_t
Kontext cíle                 system_u:object_r:xen_image_t
Objekty cíle                 /var/lib/xen/images/RHEL5.1-Client-20071017.0-i386
                              -DVD.iso [ file ]
Zdroj                         qemu-kvm
Cesta zdroje                  /usr/bin/qemu-kvm
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          kvm-65-7.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-64.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun
                              10 16:27:49 EDT 2008 i686 i686
Počet uporoznění           3
Poprvé viděno               Út 17. červen 2008, 10:23:34 CEST
Naposledy viděno             Út 17. červen 2008, 10:29:02 CEST
Místní ID                   5a5585fb-2aab-484f-8474-7841361d27dd
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1213691342.145:7895): avc:  denied  { getattr }
for  pid=25572 comm="qemu-kvm"
path="/var/lib/xen/images/RHEL5.1-Client-20071017.0-i386-DVD.iso" dev=dm-0
ino=1274897 scontext=system_u:system_r:qemu_t:s0
tcontext=system_u:object_r:xen_image_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1213691342.145:7895): arch=40000003
syscall=195 success=no exit=-13 a0=bfe2a010 a1=bfe27660 a2=5a4ff4 a3=a2c0168
items=0 ppid=2372 pid=25572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
Comment 1 Matěj Cepl 2008-06-17 06:27:56 EDT
Created attachment 309587 [details]
complete audit.log

Although I believe that my labels should be all right, there is a host of other
AVC denials, so much so that using virtual machines is possible only in the
Permissive mode.
Comment 2 Daniel Walsh 2008-06-22 08:08:19 EDT
Fixed in selinux-policy-3.3.1-68.fc9.noarch
Comment 3 Ahmed Medhat 2008-10-01 14:56:54 EDT
I get the same errors with selinux-policy-3.3.1-91.fc9.noarch.



Summary:

SELinux is preventing the qemu-kvm from using potentially mislabeled files
(./Fedora-9-x86_64-Live.iso).

Detailed Description:

SELinux has denied qemu-kvm access to potentially mislabeled file(s)
(./Fedora-9-x86_64-Live.iso). This means that SELinux will not allow qemu-kvm to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want qemu-kvm to access this files, you need to relabel them using
restorecon -v './Fedora-9-x86_64-Live.iso'. You might want to relabel the entire
directory using restorecon -R -v '.'.

Additional Information:

Source Context                system_u:system_r:qemu_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                ./Fedora-9-x86_64-Live.iso [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          adrenaline.localdomain
Source RPM Packages           kvm-65-9.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-91.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     adrenaline.localdomain
Platform                      Linux adrenaline.localdomain
                              2.6.26.3-29.fc9.x86_64 #1 SMP Wed Sep 3 03:16:37
                              EDT 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 01 Oct 2008 10:41:30 AM EET
Last Seen                     Wed 01 Oct 2008 08:33:24 PM EET
Local ID                      6b5d01f9-32d3-4af0-918c-f855e4d11049
Line Numbers                  

Raw Audit Messages            

host=adrenaline.localdomain type=AVC msg=audit(1222886004.609:1914): avc:  denied  { read } for  pid=9735 comm="qemu-kvm" name="Fedora-9-x86_64-Live.iso" dev=dm-2 ino=308137 scontext=system_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=adrenaline.localdomain type=SYSCALL msg=audit(1222886004.609:1914): arch=c000003e syscall=2 success=no exit=-13 a0=7fff12ae7a40 a1=0 a2=1a4 a3=33d6d67a70 items=0 ppid=3305 pid=9735 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
Comment 4 Daniel Walsh 2008-10-01 15:05:18 EDT
You need to change the label on the image to virt_image_t.  We do not want to allow a virtual image to read your home directories.
Comment 5 Ahmed Medhat 2008-10-01 15:24:07 EDT
Yeah I thought to apply the same as the one with bug #454893

This did the trick, thanks D.
Comment 6 Cole Robinson 2008-11-25 09:38:32 EST
This has been fixed for a while in F9. Closing.

Note You need to log in before you can comment on or make changes to this bug.