Description of problem: SELinux doesn't like qemu-kvm using logical volumes for guest disks. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-74.fc9.noarch kvm-65-7.fc9.x86_64 qemu-0.9.1-6.fc9.x86_64 How reproducible: 100% (within this installation Steps to Reproduce: 1. create a KVM guest using a logical volume as the guest disk Actual results: Spew of of SELinux denials. I'm in permissive mode because of some other policy bugs, so I don't know if this would actually prevent kvm from working, but it can't be a good thing. Expected results: no denials Additional info: still happens after an autorelabel Although the default for virt-manager is to create a file-backed virtual disk in a directory that I assume is properly labeled, it is common and even recommended to give guests dedicated block devices when possible for performance reasons. The targeted policy should allow this, or at least provide a boolean that can allow this. I only see four qemu-related booleans, and none of them appear relevant to this.
If you label this device virt_image_t, it should work. # semanage fcontext -a -t virt_image_t /dev/mapper/vgcrypt-f932 # restorecon /dev/mapper/vgcrypt-f932
Yeah, that fixes it, but forcing users to do this gives the impression that kvm isn't really expected to be presenting block devices to guests, when in fact this is encouraged. In practice, users will just disable SELinux. At the very least, we should have a boolean (which the virtualization tools should document or toggle at user request) that says that qemu-kvm is allowed to use block devices.
Well the real goal is to get this to happen automatically in virt-manager. Allowing a confined domain like qemu to read/write fixed disk, just makes it unconfined. If I can read/write any disk partition I can take over the host machine, making the confinement useless.
Please attach the full setroubleshoot, so I can fix this to give a better description on the fix.
Here are the two I got: Summary: SELinux is preventing qemu-kvm (qemu_t) "getattr" to /dev/mapper/HelpdeskRHEL4-RHEL4.x86_64 (fixed_disk_device_t). Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/mapper/HelpdeskRHEL4-RHEL4.x86_64, restorecon -v '/dev/mapper/HelpdeskRHEL4-RHEL4.x86_64' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:qemu_t Target Context system_u:object_r:fixed_disk_device_t Target Objects /dev/mapper/HelpdeskRHEL4-RHEL4.x86_64 [ blk_file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host dhcppc2 Source RPM Packages kvm-65-7.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-78.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name dhcppc2 Platform Linux dhcppc2 2.6.25.10-86.fc9.x86_64 #1 SMP Mon Jul 7 20:23:46 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 22 Jul 2008 03:19:48 PM EEST Last Seen Tue 22 Jul 2008 03:19:48 PM EEST Local ID db6437c9-ef58-4857-b2b5-5794a2397cd8 Line Numbers Raw Audit Messages host=dhcppc2 type=AVC msg=audit(1216729188.853:240): avc: denied { getattr } for pid=14066 comm="qemu-kvm" path="/dev/mapper/HelpdeskRHEL4-RHEL4.x86_64" dev=tmpfs ino=333 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:240): arch=c000003e syscall=4 success=no exit=-13 a0=7fff6f654680 a1=7fff6f651c80 a2=7fff6f651c80 a3=0 items=0 ppid=2953 pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) Summary: SELinux is preventing qemu-kvm (qemu_t) "read" to HelpdeskRHEL4-RHEL4.x86_64 (fixed_disk_device_t). Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for HelpdeskRHEL4-RHEL4.x86_64, restorecon -v 'HelpdeskRHEL4-RHEL4.x86_64' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:qemu_t Target Context system_u:object_r:fixed_disk_device_t Target Objects HelpdeskRHEL4-RHEL4.x86_64 [ blk_file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host dhcppc2 Source RPM Packages kvm-65-7.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-78.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name dhcppc2 Platform Linux dhcppc2 2.6.25.10-86.fc9.x86_64 #1 SMP Mon Jul 7 20:23:46 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 22 Jul 2008 03:19:48 PM EEST Last Seen Tue 22 Jul 2008 03:19:48 PM EEST Local ID a1e91cb0-aa50-4677-933f-c1620a2175bd Line Numbers Raw Audit Messages host=dhcppc2 type=AVC msg=audit(1216729188.853:241): avc: denied { read } for pid=14066 comm="qemu-kvm" name="HelpdeskRHEL4-RHEL4.x86_64" dev=tmpfs ino=333 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:241): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6f654680 a1=0 a2=1a4 a3=3342f67a70 items=0 ppid=2953 pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
Fixed in setoubleshoot-plugins-2.0.8-1.fc10
Created attachment 316338 [details] New sealert message for this avc.
Comment on attachment 316338 [details] New sealert message for this avc. <table bgcolor=#FFFFFF><tr><td> <table width="100%" cellspacing="1" cellpadding="1"> <tr bgcolor="000000"><td><font color="#FFFFFF">Summary</font></td></tr> <tr><td><font color="000000"> SELinux is preventing qemu (qemu-kvm) "read" to HelpdeskRHEL4-RHEL4.x86_64 (fixed_disk_device_t). </font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Detailed Description</font></td></tr> <tr><td><font color="000000"> SELinux denied qemu access to the block device HelpdeskRHEL4-RHEL4.x86_64. If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel HelpdeskRHEL4-RHEL4.x86_64 to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64' to add this new path to the system defaults. If you did not intend to use HelpdeskRHEL4-RHEL4.x86_64 as a qemu image it could indicate either a bug or an intrusion attempt. </font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Allowing Access</font></td></tr> <tr><td><font color="000000"> You can alter the file context by executing chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'" </font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Fix Command</font></td></tr> <tr><td><font color="000000">chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'</font></td></tr> <tr bgcolor="000000"><td><font color="#FFFFFF">Additional Information</font></td></tr> <tr><td><font color="000000"></font></td></tr> </table> <table border="0" cellspacing="1" cellpadding="1"> <tr><td><font color="000000">Source Context: </td><td>system_u:system_r:qemu_t:s0</font></td></tr> <tr><td><font color="000000">Target Context: </td><td>system_u:object_r:fixed_disk_device_t:s0</font></td></tr> <tr><td><font color="000000">Target Objects: </td><td>HelpdeskRHEL4-RHEL4.x86_64 [ blk_file ]</font></td></tr> <tr><td><font color="000000">Source: </td><td>qemu-kvm</font></td></tr> <tr><td><font color="000000">Source Path: </td><td>/usr/bin/qemu-kvm</font></td></tr> <tr><td><font color="000000">Port: </td><td><Unknown></font></td></tr> <tr><td><font color="000000">Host: </td><td>dhcppc2</font></td></tr> <tr><td><font color="000000">Source RPM Packages: </td><td>kvm-74-2.fc10</font></td></tr> <tr><td><font color="000000">Target RPM Packages: </td><td></font></td></tr> <tr><td><font color="000000">Policy RPM: </td><td>selinux-policy-3.5.7-1.fc10</font></td></tr> <tr><td><font color="000000">Selinux Enabled: </td><td>True</font></td></tr> <tr><td><font color="000000">Policy Type: </td><td>targeted</font></td></tr> <tr><td><font color="000000">MLS Enabled: </td><td>True</font></td></tr> <tr><td><font color="000000">Enforcing Mode: </td><td>Enforcing</font></td></tr> <tr><td><font color="000000">Plugin Name: </td><td>qemu_blk_image</font></td></tr> <tr><td><font color="000000">Host Name: </td><td>localhost.localdomain</font></td></tr> <tr><td><font color="000000">Platform: </td><td>Linux localhost.localdomain 2.6.27-0.305.rc5.git6.fc10.x86_64 #1 SMP Thu Sep 4 21:42:09 EDT 2008 x86_64 x86_64</font></td></tr> <tr><td><font color="000000">Alert Count: </td><td>1</font></td></tr> <tr><td><font color="000000">First Seen: </td><td>Tue Jul 22 08:19:48 2008</font></td></tr> <tr><td><font color="000000">Last Seen: </td><td>Tue Jul 22 08:19:48 2008</font></td></tr> <tr><td><font color="000000">Local ID: </td><td>f327c428-a924-44f2-9fc2-29bb20fd51dc</font></td></tr> <tr><td><font color="000000">Line Numbers: </td><td>1</font></td></tr> </table><p>Raw Audit Messages :<br><br>host=dhcppc2 type=AVC msg=audit(1216729188.853:241): avc: denied { read } for pid=14066 comm="qemu-kvm" name="HelpdeskRHEL4-RHEL4.x86_64" dev=tmpfs ino=333 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:241): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6f654680 a1=0 a2=1a4 a3=3342f67a70 items=0 ppid=2953 pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) <br></td></tr></table>
Created attachment 316341 [details] New sealert message for this avc.
Fixed in setoubleshoot-plugins-2.0.8-1.fc9
Working fine now. Feel free to close.
Nevermind, the message went away because I labeled it, as the AVC told me to. Either way, this is fixed enough.