Bug 454893 - SELinux is preventing qemu-kvm (qemu_t) "getattr" to /dev/mapper/vgcrypt-f932 (fixed_disk_device_t).
SELinux is preventing qemu-kvm (qemu_t) "getattr" to /dev/mapper/vgcrypt-f932...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: setroubleshoot-plugins (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-10 12:14 EDT by Chris Snook
Modified: 2008-10-08 07:40 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-08 07:40:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
New sealert message for this avc. (2.93 KB, text/html)
2008-09-10 13:59 EDT, Daniel Walsh
no flags Details
New sealert message for this avc. (4.59 KB, text/html)
2008-09-10 14:04 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Chris Snook 2008-07-10 12:14:29 EDT
Description of problem:
SELinux doesn't like qemu-kvm using logical volumes for guest disks.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-74.fc9.noarch
kvm-65-7.fc9.x86_64
qemu-0.9.1-6.fc9.x86_64

How reproducible:
100% (within this installation

Steps to Reproduce:
1. create a KVM guest using a logical volume as the guest disk

Actual results:
Spew of of SELinux denials.  I'm in permissive mode because of some other policy
bugs, so I don't know if this would actually prevent kvm from working, but it
can't be a good thing.

Expected results:
no denials

Additional info:
still happens after an autorelabel

Although the default for virt-manager is to create a file-backed virtual disk in
a directory that I assume is properly labeled, it is common and even recommended
to give guests dedicated block devices when possible for performance reasons. 
The targeted policy should allow this, or at least provide a boolean that can
allow this.  I only see four qemu-related booleans, and none of them appear
relevant to this.
Comment 1 Daniel Walsh 2008-07-10 14:56:02 EDT
If you label this device virt_image_t, it should work.

# semanage fcontext -a -t virt_image_t /dev/mapper/vgcrypt-f932
# restorecon /dev/mapper/vgcrypt-f932
Comment 2 Chris Snook 2008-07-10 17:40:22 EDT
Yeah, that fixes it, but forcing users to do this gives the impression that kvm
isn't really expected to be presenting block devices to guests, when in fact
this is encouraged.  In practice, users will just disable SELinux.  At the very
least, we should have a boolean (which the virtualization tools should document
or toggle at user request) that says that qemu-kvm is allowed to use block devices.
Comment 3 Daniel Walsh 2008-07-14 09:48:37 EDT
Well the real goal is to get this to happen automatically in virt-manager. 
Allowing a confined domain like qemu to read/write fixed disk, just makes it
unconfined.  If I can read/write any disk partition I can take over the host
machine, making the confinement useless.

Comment 4 Daniel Walsh 2008-07-14 09:51:06 EDT
Please attach the full setroubleshoot, so I can fix this to give a better
description on the fix.
Comment 5 David Juran 2008-07-22 08:26:56 EDT
Here are the two I got:


Summary:

SELinux is preventing qemu-kvm (qemu_t) "getattr" to
/dev/mapper/HelpdeskRHEL4-RHEL4.x86_64 (fixed_disk_device_t).

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /dev/mapper/HelpdeskRHEL4-RHEL4.x86_64,

restorecon -v '/dev/mapper/HelpdeskRHEL4-RHEL4.x86_64'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:qemu_t
Target Context                system_u:object_r:fixed_disk_device_t
Target Objects                /dev/mapper/HelpdeskRHEL4-RHEL4.x86_64 [ blk_file
                              ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          dhcppc2
Source RPM Packages           kvm-65-7.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-78.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     dhcppc2
Platform                      Linux dhcppc2 2.6.25.10-86.fc9.x86_64 #1 SMP Mon
                              Jul 7 20:23:46 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 22 Jul 2008 03:19:48 PM EEST
Last Seen                     Tue 22 Jul 2008 03:19:48 PM EEST
Local ID                      db6437c9-ef58-4857-b2b5-5794a2397cd8
Line Numbers                  

Raw Audit Messages            

host=dhcppc2 type=AVC msg=audit(1216729188.853:240): avc:  denied  { getattr }
for  pid=14066 comm="qemu-kvm" path="/dev/mapper/HelpdeskRHEL4-RHEL4.x86_64"
dev=tmpfs ino=333 scontext=system_u:system_r:qemu_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:240): arch=c000003e syscall=4
success=no exit=-13 a0=7fff6f654680 a1=7fff6f651c80 a2=7fff6f651c80 a3=0 items=0
ppid=2953 pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm"
subj=system_u:system_r:qemu_t:s0 key=(null)




Summary:

SELinux is preventing qemu-kvm (qemu_t) "read" to HelpdeskRHEL4-RHEL4.x86_64
(fixed_disk_device_t).

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for HelpdeskRHEL4-RHEL4.x86_64,

restorecon -v 'HelpdeskRHEL4-RHEL4.x86_64'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:qemu_t
Target Context                system_u:object_r:fixed_disk_device_t
Target Objects                HelpdeskRHEL4-RHEL4.x86_64 [ blk_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          dhcppc2
Source RPM Packages           kvm-65-7.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-78.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     dhcppc2
Platform                      Linux dhcppc2 2.6.25.10-86.fc9.x86_64 #1 SMP Mon
                              Jul 7 20:23:46 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 22 Jul 2008 03:19:48 PM EEST
Last Seen                     Tue 22 Jul 2008 03:19:48 PM EEST
Local ID                      a1e91cb0-aa50-4677-933f-c1620a2175bd
Line Numbers                  

Raw Audit Messages            

host=dhcppc2 type=AVC msg=audit(1216729188.853:241): avc:  denied  { read } for
 pid=14066 comm="qemu-kvm" name="HelpdeskRHEL4-RHEL4.x86_64" dev=tmpfs ino=333
scontext=system_u:system_r:qemu_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:241): arch=c000003e syscall=2
success=no exit=-13 a0=7fff6f654680 a1=0 a2=1a4 a3=3342f67a70 items=0 ppid=2953
pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm"
subj=system_u:system_r:qemu_t:s0 key=(null)



Comment 6 Daniel Walsh 2008-09-10 13:55:38 EDT
Fixed in setoubleshoot-plugins-2.0.8-1.fc10
Comment 7 Daniel Walsh 2008-09-10 13:59:19 EDT
Created attachment 316338 [details]
New sealert message for this avc.
Comment 8 Daniel Walsh 2008-09-10 14:01:38 EDT
Comment on attachment 316338 [details]
New sealert message for this avc.

<table bgcolor=#FFFFFF><tr><td>
<table width="100%" cellspacing="1" cellpadding="1">
<tr bgcolor="000000"><td><font color="#FFFFFF">Summary</font></td></tr>
<tr><td><font color="000000">
    SELinux is preventing qemu (qemu-kvm) "read" to HelpdeskRHEL4-RHEL4.x86_64 (fixed_disk_device_t).
    </font></td></tr>
<tr bgcolor="000000"><td><font color="#FFFFFF">Detailed Description</font></td></tr>
<tr><td><font color="000000">
    SELinux denied qemu access to the block device HelpdeskRHEL4-RHEL4.x86_64.
    If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel HelpdeskRHEL4-RHEL4.x86_64 to be virt_image_t using chcon.  You also need to execute semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64' to add this
    new path to the system defaults. If you did not intend to use HelpdeskRHEL4-RHEL4.x86_64 as a qemu
    image it could indicate either a bug or an intrusion attempt.
    </font></td></tr>
<tr bgcolor="000000"><td><font color="#FFFFFF">Allowing Access</font></td></tr>
<tr><td><font color="000000">
    You can alter the file context by executing chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'
    You must also change the default file context files on the system in order to preserve them even on a full relabel.  "semanage fcontext -a -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'"
    </font></td></tr>
<tr bgcolor="000000"><td><font color="#FFFFFF">Fix Command</font></td></tr>
<tr><td><font color="000000">chcon -t virt_image_t 'HelpdeskRHEL4-RHEL4.x86_64'</font></td></tr>
<tr bgcolor="000000"><td><font color="#FFFFFF">Additional Information</font></td></tr>
<tr><td><font color="000000"></font></td></tr>
</table>
<table border="0" cellspacing="1" cellpadding="1">
<tr><td><font color="000000">Source Context:&nbsp;&nbsp;</td><td>system_u:system_r:qemu_t:s0</font></td></tr>
<tr><td><font color="000000">Target Context:&nbsp;&nbsp;</td><td>system_u:object_r:fixed_disk_device_t:s0</font></td></tr>
<tr><td><font color="000000">Target Objects:&nbsp;&nbsp;</td><td>HelpdeskRHEL4-RHEL4.x86_64 [ blk_file ]</font></td></tr>
<tr><td><font color="000000">Source:&nbsp;&nbsp;</td><td>qemu-kvm</font></td></tr>
<tr><td><font color="000000">Source Path:&nbsp;&nbsp;</td><td>/usr/bin/qemu-kvm</font></td></tr>
<tr><td><font color="000000">Port:&nbsp;&nbsp;</td><td>&lt;Unknown&gt;</font></td></tr>
<tr><td><font color="000000">Host:&nbsp;&nbsp;</td><td>dhcppc2</font></td></tr>
<tr><td><font color="000000">Source RPM Packages:&nbsp;&nbsp;</td><td>kvm-74-2.fc10</font></td></tr>
<tr><td><font color="000000">Target RPM Packages:&nbsp;&nbsp;</td><td></font></td></tr>
<tr><td><font color="000000">Policy RPM:&nbsp;&nbsp;</td><td>selinux-policy-3.5.7-1.fc10</font></td></tr>
<tr><td><font color="000000">Selinux Enabled:&nbsp;&nbsp;</td><td>True</font></td></tr>
<tr><td><font color="000000">Policy Type:&nbsp;&nbsp;</td><td>targeted</font></td></tr>
<tr><td><font color="000000">MLS Enabled:&nbsp;&nbsp;</td><td>True</font></td></tr>
<tr><td><font color="000000">Enforcing Mode:&nbsp;&nbsp;</td><td>Enforcing</font></td></tr>
<tr><td><font color="000000">Plugin Name:&nbsp;&nbsp;</td><td>qemu_blk_image</font></td></tr>
<tr><td><font color="000000">Host Name:&nbsp;&nbsp;</td><td>localhost.localdomain</font></td></tr>
<tr><td><font color="000000">Platform:&nbsp;&nbsp;</td><td>Linux localhost.localdomain 2.6.27-0.305.rc5.git6.fc10.x86_64 #1 SMP Thu Sep 4 21:42:09 EDT 2008 x86_64 x86_64</font></td></tr>
<tr><td><font color="000000">Alert Count:&nbsp;&nbsp;</td><td>1</font></td></tr>
<tr><td><font color="000000">First Seen:&nbsp;&nbsp;</td><td>Tue Jul 22 08:19:48 2008</font></td></tr>
<tr><td><font color="000000">Last Seen:&nbsp;&nbsp;</td><td>Tue Jul 22 08:19:48 2008</font></td></tr>
<tr><td><font color="000000">Local ID:&nbsp;&nbsp;</td><td>f327c428-a924-44f2-9fc2-29bb20fd51dc</font></td></tr>
<tr><td><font color="000000">Line Numbers:&nbsp;&nbsp;</td><td>1</font></td></tr>
</table><p>Raw Audit Messages
:<br><br>host=dhcppc2 type=AVC msg=audit(1216729188.853:241): avc:  denied  { read } for pid=14066 comm=&quot;qemu-kvm&quot; name=&quot;HelpdeskRHEL4-RHEL4.x86_64&quot; dev=tmpfs ino=333 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=dhcppc2 type=SYSCALL msg=audit(1216729188.853:241): arch=c000003e syscall=2 success=no exit=-13 a0=7fff6f654680 a1=0 a2=1a4 a3=3342f67a70 items=0 ppid=2953 pid=14066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=&quot;qemu-kvm&quot; exe=&quot;/usr/bin/qemu-kvm&quot; subj=system_u:system_r:qemu_t:s0 key=(null)
<br></td></tr></table>
Comment 9 Daniel Walsh 2008-09-10 14:04:46 EDT
Created attachment 316341 [details]
New sealert message for this avc.
Comment 10 Daniel Walsh 2008-09-10 14:06:14 EDT
Fixed in setoubleshoot-plugins-2.0.8-1.fc9
Comment 11 Chris Snook 2008-10-06 16:56:34 EDT
Working fine now.  Feel free to close.
Comment 12 Chris Snook 2008-10-06 16:58:44 EDT
Nevermind, the message went away because I labeled it, as the AVC told me to.  Either way, this is fixed enough.

Note You need to log in before you can comment on or make changes to this bug.