Bug 501983 - AVC when saving qemu domains
AVC when saving qemu domains
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-05-21 09:48 EDT by Enrico Scholz
Modified: 2009-11-18 08:09 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-18 08:09:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2009-05-21 09:48:51 EDT
Description of problem:

Trying to save a qemu-kvm domain creates a bunch of AVCs

type=1400 audit(1242911515.624:1762): avc:  denied  { read } for  pid=16904 comm="qemu-kvm" name="sh" dev=sda1 ino=57348 scontext=system_u:system_r:svirt_t:s0:c11,c221 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=1400 audit(1242911715.550:1764): avc:  denied  { execute } for  pid=16961 comm="qemu-kvm" name="bash" dev=sda1 ino=57347 scontext=system_u:system_r:svirt_t:s0:c11,c221 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=1400 audit(1242911927.337:1766): avc:  denied  { read open } for  pid=17048 comm="qemu-kvm" name="bash" dev=sda1 ino=57347 scontext=system_u:system_r:svirt_t:s0:c196,c518 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=1400 audit(1242913178.429:1768): avc:  denied  { execute_no_trans } for  pid=17123 comm="qemu-kvm" path="/bin/bash" dev=sda1 ino=57347 scontext=system_u:system_r:svirt_t:s0:c583,c634 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=1400 audit(1242913246.675:1770): avc:  denied  { getattr } for  pid=17187 comm="sh" path="/bin/bash" dev=sda1 ino=57347 scontext=system_u:system_r:svirt_t:s0:c606,c973 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=1400 audit(1242913246.677:1771): avc:  denied  { getattr } for  pid=17187 comm="sh" path="/bin/dd" dev=sda1 ino=57386 scontext=system_u:system_r:svirt_t:s0:c606,c973 tcontext=system_u:object_r:bin_t:s0 tclass=file

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. virsh 'save domain /var/lib/libvirt/qemu/domain'

Actual results:

lot of denials; domain not saved properly and can not be restored
Comment 1 Daniel Walsh 2009-05-21 12:46:41 EDT
I can allow the execution of this, but I believe we are going to have a hard time with isolation here.

What exactly is qemu saving?  Is it rewriting an image file?

If you put the machine or svirt_t in to permissive mode what do all of the avc's look like?
Comment 2 Daniel Berrange 2009-05-21 12:58:54 EDT
Urgh. This is an example of why the QEMU save capability is really evil. QEMU removed the old built-in 'save to file' capability, and todo this now you have to use their migrate API, telling it to exec 'dd of=/path/to/save'. We really need the build-in 'save to file' capability to come back so we can stop exec'ing bash, and dd for this purpose.
Comment 3 Daniel Walsh 2009-05-21 13:11:56 EDT
Ok I have duplicated this on my machine.

Looks like libvirt creates a file and tells qemu to append to the file.

So I don't have to give great privs to make this work.

Fixed in selinux-policy-3.6.12-40.fc11.noarch
Comment 4 Daniel Walsh 2009-05-21 13:12:38 EDT
Image does stop running when I tell it to save which seems wrong though.
Comment 5 Enrico Scholz 2009-05-21 15:22:17 EDT
I think that stopping the virtual machine is expected. 'savevm' stores memory + processor content (at least, accordingly its documentation); keeping the machine alive might modify harddisk content and there might be a conflict when restored machine sees old processor/memory but new harddisk content.
Comment 6 Bug Zapper 2009-06-09 12:15:35 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
Comment 7 RJ 2009-08-25 00:47:23 EDT
I've also duplicated this on my machine, Fedora 11, 64-bit, SE Linux=enforcing.  

This occurs with any save.  I've done a recent update to my system.  


I see your comment (#3 above) and I still have this problem, even though:
[root@fedora-11-sys ~]# rpm -qa | grep selinux-policy

Note You need to log in before you can comment on or make changes to this bug.