460400 – Need labeling and policy for libvirt cache directory

Bug 460400 - Need labeling and policy for libvirt cache directory

Summary: Need labeling and policy for libvirt cache directory

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-08-28 03:18 UTC by James Morris
Modified:	2008-09-10 18:23 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-09-10 18:23:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description James Morris 2008-08-28 03:18:41 UTC

libvirt has a local cache directory which is used to manage temporary data for e.g. remote memory dumping of domains.

/var/cache/libvirt needs an appropriate label (possibly a new one, as it can contain very sensitive information) and qemu_t needs to be able to access it.

AVC denial info below.

This can be triggered with the experimental virt-mem tools, and it would be nice to fix this before the tools are shipped.


Source Context                unconfined_u:system_r:qemu_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                ./qemu.mem.AMHMSe [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          amd
Source RPM Packages           kvm-72-3.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.1-4.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     amd
Platform                      Linux amd 2.6.27-rc4 #1 SMP Thu Aug 28 11:04:02
                              EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Thu Aug 28 13:09:25 2008
Last Seen                     Thu Aug 28 13:09:25 2008
Local ID                      a17b3120-c797-4906-addc-d371181efc51

Raw Audit Messages            

host=amd type=AVC msg=audit(1219892965.355:1129): avc:  denied  { write } for  pid=2194 comm="qemu-kvm" name="qemu.mem.AMHMSe" dev=md0 ino=7061535 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

host=amd type=SYSCALL msg=audit(1219892965.355:1129): arch=c000003e syscall=2 success=yes exit=0 a0=25a8d50 a1=241 a2=1b6 a3=7fc7ff2056f0 items=0 ppid=3464 pid=2194 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null)

Comment 1 Richard W.M. Jones 2008-08-28 07:44:12 UTC

The virDomainMemoryPeek call in libvirt causes qemu-kvm to
dump memory images into this directory.  These memory images
contain things like raw guest kernel memory, so could be
potentially Very Sensitive.

Comment 2 Daniel Walsh 2008-09-10 18:23:28 UTC

Fixed in selinux-policy-3.5.7-2.fc10

Note You need to log in before you can comment on or make changes to this bug.