Bug 484555 - AVC denied errors when starting KVM guest
AVC denied errors when starting KVM guest
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-08 04:40 EST by Mark McLoughlin
Modified: 2009-03-20 12:21 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-20 12:21:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark McLoughlin 2009-02-08 04:40:07 EST
When starting a KVM guest in permissive mode with libvirt-0.6.0-2.fc10.i386:

type=AVC msg=audit(1234085826.195:72): avc:  denied  { write } for  pid=8412 comm="qemu-kvm" name="qemu" dev=dm-1 ino=649746 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1234085826.195:72): avc:  denied  { add_name } for  pid=8412 comm="qemu-kvm" name="fedora10.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1234085826.195:72): avc:  denied  { create } for  pid=8412 comm="qemu-kvm" name="fedora10.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1234085826.195:72): avc:  denied  { read write } for  pid=8412 comm="qemu-kvm" name="fedora10.pid" dev=dm-1 ino=647769 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1234085826.195:73): avc:  denied  { lock } for  pid=8412 comm="qemu-kvm" path="/var/run/libvirt/qemu/fedora10.pid" dev=dm-1 ino=647769 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file
Comment 1 Daniel Berrange 2009-02-09 04:25:16 EST
This is the important bit:

path="/var/run/libvirt/qemu/fedora10.pid"

The new libvirt now tells QEMU to write out a PID file on startup. So we need to add this directory to the SELinux policy for the QEMU domain type:

   /var/run/libvirt/qemu(/.*)?

NB, this directory is already listed in the %files section of the libvirt RPM, so if policy gets updated, it should get labelled correctly.

cf, similar problem with dnsmasq PID file bug 484199
Comment 2 Daniel Walsh 2009-02-09 09:26:37 EST
Dan you are the man.


Miroslav add



type qemu_var_run_t;
files_pid_file(qemu_var_run_t)
...
manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
files_pid_filetrans(qemu_t, qemu_var_run_t, file)

to qemu.te 

/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)

In qemu.fc

In both F9 and F10.
Comment 3 Miroslav Grepl 2009-02-12 09:56:09 EST
Fixed in selinux-policy-3.5.13-45.fc10
Comment 4 Torsten Rausche 2009-02-25 12:17:40 EST
This still does not work.

selinux-policy-3.5.13-46.fc10.noarch
libvirt-0.6.0-3.fc10.x86_64

After running restorecon the directory looks like this:

$ ls -Za /var/run/libvirt/qemu/
drwxr-xr-x  root root system_u:object_r:virt_var_run_t:s0 .
drwxr-xr-x  root root system_u:object_r:virt_var_run_t:s0 ..

which leads to the following denial messages in permissive mode:

node=roadrunner type=AVC msg=audit(1235579520.39:140): avc:  denied  { lock } for  pid=10497 comm="qemu-kvm" path="/var/run/libvirt/qemu/Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file

node=roadrunner type=SYSCALL msg=audit(1235579520.39:140): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=6 a2=7fffc0037f30 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null)

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { write } for  pid=10497 comm="qemu-kvm" name="qemu" dev=sda2 ino=4458842 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { add_name } for  pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { create } for  pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file

node=roadrunner type=AVC msg=audit(1235579520.34:139): avc:  denied  { read write } for  pid=10497 comm="qemu-kvm" name="Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file

node=roadrunner type=SYSCALL msg=audit(1235579520.34:139): arch=c000003e syscall=2 success=no exit=-2039644200 a0=7fffc003ae66 a1=42 a2=180 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null)

-----

After setting the directory's context to 'system_u:object_r:qemu_var_run_t:s0' too, it works fine.
Comment 5 Anders 2009-02-25 14:51:58 EST
I resolved this on my system by creating a file, virt2.te, containing

---
policy_module(virt2,1.0.4)

require {
	type qemu_t;
	type virt_var_run_t;
}

#============= qemu_t ==============
allow qemu_t virt_var_run_t:dir { write add_name };
allow qemu_t virt_var_run_t:file { read write create lock };
---

and I then ran
# make -f /usr/share/selinux/devel/Makefile
# semodule -i virt2.pp
# restorecon -Rv /var/lib/libvirt/qemu

It's working for me with
  libvirt-0.6.0-2.fc10.i386
  selinux-policy-3.5.13-45.fc10.noarch

Hope this helps,

/Anders
Comment 6 Miroslav Grepl 2009-02-26 06:31:47 EST
Ok, I will fix qemu labeling to correct form.
Comment 7 Daniel Walsh 2009-02-26 09:02:33 EST
Should have been

/var/run/libvirt/qemu(/.*)?  gen_context(system_u:object_r:qemu_var_run_t,s0)

Not 

/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0)

My mistake.
Comment 8 Miroslav Grepl 2009-02-27 10:08:48 EST
Fixed in selinux-policy-3.5.13-47.fc10
Comment 9 Mark McLoughlin 2009-03-20 12:21:09 EDT
Fix is now in F10 stable:

  https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2245

Note You need to log in before you can comment on or make changes to this bug.