\u0421\u0432\u043e\u0434\u043a\u0430: SELinux is preventing /usr/bin/qemu-kvm "write" access on sr0. \u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435: [qemu-kvm \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u0432 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0440\u0435\u0436\u0438\u043c\u0435 (svirt_t). \u042d\u0442\u043e \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e.] SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. \u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. \u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f: \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a system_u:system_r:svirt_t:s0:c136,c886 \u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u041a\u043e\u043d\u0442\u0435\u043a\u0441 system_u:object_r:virt_content_t:s0 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b sr0 [ blk_file ] \u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a qemu-kvm \u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/usr/bin/qemu-kvm \u041f\u043e\u0440\u0442 <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e> \u0423\u0437\u0435\u043b underdark.thor.od.ua \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b qemu-system-x86-0.11.0-11.fc12 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 selinux-policy-3.6.32-41.fc12 Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430 True \u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 targeted MLS \u0430\u043a\u0442\u0438\u0432\u043d\u0430 True \u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 Enforcing \u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f catchall \u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430 underdark.thor.od.ua \u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430 Linux underdark.thor.od.ua 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 \u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 1 \u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58 \u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u0421\u0440\u0434 11 \u041d\u043e\u044f 2009 10:59:58 \u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID 247b391c-3766-45a9-ab32-ea1267c12338 \u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a \u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f node=underdark.thor.od.ua type=AVC msg=audit(1257929998.809:139): avc: denied { write } for pid=25245 comm="qemu-kvm" name="sr0" dev=tmpfs ino=3940 scontext=system_u:system_r:svirt_t:s0:c136,c886 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file node=underdark.thor.od.ua type=SYSCALL msg=audit(1257929998.809:139): arch=c000003e syscall=2 success=yes exit=128 a0=7fffb847a1a0 a1=1002 a2=1a4 a3=30 items=0 ppid=1 pid=25245 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c136,c886 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,catchall,qemu-kvm,svirt_t,virt_content_t,blk_file,write audit2allow suggests: #============= svirt_t ============== allow svirt_t virt_content_t:blk_file write;
If this device was a read/writable device it should have been given a different label
Please provide the libvirt XML configuration for this guest and the log file. As root run virsh dumpxml GUESTNAME and save /var/log/libvirt/qemu/$GUESTNAME.log
drive is r/w, but media was r/o <domain type='kvm'> <name>xp</name> <uuid>e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5</uuid> <memory>524288</memory> <currentMemory>524288</currentMemory> <vcpu>1</vcpu> <os> <type arch='x86_64' machine='pc-0.11'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset='localtime'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <emulator>/usr/bin/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/xp.img'/> <target dev='hda' bus='ide'/> </disk> <disk type='block' device='cdrom'> <driver name='qemu'/> <source dev='/dev/sr0'/> <target dev='hdc' bus='ide'/> <readonly/> </disk> <interface type='network'> <mac address='52:54:00:46:53:a5'/> <source network='default'/> </interface> <serial type='pty'> <source path='/dev/pts/4'/> <target port='0'/> </serial> <console type='pty' tty='/dev/pts/4'> <source path='/dev/pts/4'/> <target port='0'/> </console> <input type='tablet' bus='usb'/> <input type='mouse' bus='ps2'/> <graphics type='vnc' port='-1' autoport='yes'/> <sound model='es1370'/> <video> <model type='cirrus' vram='9216' heads='1'/> </video> </devices> </domain> LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -no-reboot -boot d -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,format=raw -drive file=/dev/sr0,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -vga cirrus -soundhw es1370 char device redirected to /dev/pts/4 LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-kvm -S -M pc-0.11 -m 512 -smp 1 -name xp -uuid e917f9ea-b05f-ad51-4cbd-9b447e5fc3c5 -monitor unix:/var/lib/libvirt/qemu/xp.monitor,server,nowait -localtime -boot c -drive file=/var/lib/libvirt/images/xp.img,if=ide,index=0,boot=on,format=raw -drive file=,if=ide,media=cdrom,index=2 -net nic,macaddr=52:54:00:46:53:a5,vlan=0,name=nic.0 -net tap,fd=18,vlan=0,name=tap.0 -serial pty -parallel none -usb -usbdevice tablet -vnc 127.0.0.1:0 -vga cirrus -soundhw es1370 char device redirected to /dev/pts/4
The root cause of this problem is a limitation of QEMU - we want CDROM devices to be readonly, and libvirt has them marked as such, but QEMU still tries to open them read-write. I opened bug 537163 to get this fixed in QEMU
There doesn't seem to be much special about this scenrio. Any idea why we aren't we seeing more of these AVCs?
I got the same message. I thought I was trying to write to my regular hard disk - not the CDROM. Somehow, on the 2nd try, the write to the hard disk succeeded - and I now have a running virtual machine with a disk footprint at: [root@hoho6 images]# pwd /var/lib/libvirt/images [root@hoho6 images]# ls -l total 1228804 -rw-------. 1 qemu qemu 20971520000 2009-11-20 23:03 t280rc-min-486.img [root@hoho6 images]# I did not change the security setting. SELinux Administrations says: Enforcing Enforcing targeted curious
*** Bug 540174 has been marked as a duplicate of this bug. ***
THis is actively in progress upstream http://lists.gnu.org/archive/html/qemu-devel/2010-01/msg01124.html
*** Bug 557767 has been marked as a duplicate of this bug. ***
*** Bug 558047 has been marked as a duplicate of this bug. ***
*** Bug 558219 has been marked as a duplicate of this bug. ***
*** Bug 558300 has been marked as a duplicate of this bug. ***
*** Bug 560849 has been marked as a duplicate of this bug. ***
*** Bug 561764 has been marked as a duplicate of this bug. ***
*** Bug 561376 has been marked as a duplicate of this bug. ***
*** Bug 569266 has been marked as a duplicate of this bug. ***
Tentative patch to fix this posted upstream, https://www.redhat.com/archives/libvir-list/2010-March/msg00503.html Daniel
Since this required features that currently aren't even in a released qemu, it's unlikely this issue will be fixed in F12 or F13. Moving to rawhide.
We need a work around for this in RHEL6?
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
AFAICT this is fixed in F14. Closing