Bug 540822 - SELinux is preventing /usr/bin/qemu-kvm "transition" access on /usr/bin/qemu-kvm.
Summary: SELinux is preventing /usr/bin/qemu-kvm "transition" access on /usr/bin/qemu-...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:0fff10f110a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-24 09:33 UTC by Matthew Booth
Modified: 2010-08-20 01:46 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.6.32-120.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-07 22:46:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matthew Booth 2009-11-24 09:33:18 UTC
Summary:

SELinux is preventing /usr/bin/qemu-kvm "transition" access on
/usr/bin/qemu-kvm.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:system_r:svirt_t:s0:c311,c786
Target Objects                /usr/bin/qemu-kvm [ process ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           qemu-system-x86-0.11.0-11.fc12
Target RPM Packages           qemu-system-x86-0.11.0-11.fc12
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP
                              Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 23 Nov 2009 11:03:13 GMT
Last Seen                     Mon 23 Nov 2009 11:03:13 GMT
Local ID                      e36f6d9f-7b02-4126-a0dc-19c2d0f20909
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258974193.391:322): avc:  denied  { transition } for  pid=11254 comm="lt-libvirtd" path="/usr/bin/qemu-kvm" dev=dm-5 ino=153477 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c311,c786 tclass=process

node=(removed) type=SYSCALL msg=audit(1258974193.391:322): arch=c000003e syscall=59 success=yes exit=0 a0=7f8714000f80 a1=7f8714002480 a2=7f8714000a90 a3=7f87275fce30 items=0 ppid=1 pid=11254 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c786 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,catchall,qemu-kvm,unconfined_t,svirt_t,process,transition
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t svirt_t:process transition;

Comment 1 Daniel Walsh 2009-11-24 15:54:42 UTC
This is caused by you running libvirt as unconfined_t rather then as a service.

If you run libvirtd directly it will not transition, if you run service libvirtd restart it will run under the proper context.

Comment 2 Matthew Booth 2009-11-24 17:14:55 UTC
Actually I think the difference is that I'm using the usermode connection (qemu:///session) which runs as a regular user. So, I start a domain with:

virsh -c qemu:///session start win7

I re-opened the bug. I would prefer to set it to NEW again, however, that doesn't appear to be an option.

Comment 3 Daniel Walsh 2009-11-24 19:58:28 UTC
This uses the libvirtd code without using the daemon correct.

I guess I can add a transition from unconfined_t to svirt_t.

Fixed in selinux-policy-3.6.32-50.fc12.noarch

Comment 4 Daniel Berrangé 2009-11-25 10:47:00 UTC
Yes, when using  qemu:///session, the   libvirtd daemon instance is running as the user's own account, spawned automatically in the context of the user's login session, and so would be unconfined instead of virtd_t.

Comment 5 Daniel Walsh 2009-11-25 11:16:47 UTC
Matthew -50 was built in koji, can you try this out.

Comment 6 Matthew Booth 2009-11-25 11:45:05 UTC
Just tested it. The original error does go away, however I get 3 more. I'll put them in individual comments below.

Comment 7 Matthew Booth 2009-11-25 11:45:20 UTC
Summary:

SELinux is preventing /usr/bin/qemu-kvm access to a leaked
/home/mbooth/.libvirt/qemu/log/win7.log file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the qemu-kvm command. It looks like this is
either a leaked descriptor or qemu-kvm output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /home/mbooth/.libvirt/qemu/log/win7.log. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c157,c679
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/mbooth/.libvirt/qemu/log/win7.log [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          t500.mbooth
Source RPM Packages           qemu-system-x86-0.11.0-11.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-50.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     t500.mbooth
Platform                      Linux t500.mbooth 2.6.31.5-127.fc12.x86_64 #1 SMP
                              Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 25 Nov 2009 11:41:24 GMT
Last Seen                     Wed 25 Nov 2009 11:41:24 GMT
Local ID                      930c7a05-8758-4b30-b6cd-393b81a18035
Line Numbers                  

Raw Audit Messages            

node=t500.mbooth type=AVC msg=audit(1259149284.827:58): avc:  denied  { write } for  pid=16606 comm="qemu-kvm" path="/home/mbooth/.libvirt/qemu/log/win7.log" dev=dm-1 ino=1305604 scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=t500.mbooth type=SYSCALL msg=audit(1259149284.827:58): arch=c000003e syscall=59 success=yes exit=0 a0=7f5cd40bb580 a1=7f5cd400d610 a2=7f5cd41fe190 a3=7f5cded22e20 items=0 ppid=1 pid=16606 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c157,c679 key=(null)

Comment 8 Matthew Booth 2009-11-25 11:45:55 UTC
Summary:

SELinux is preventing the /usr/bin/qemu-kvm from using potentially mislabeled
files (/home/mbooth/.libvirt/qemu/lib).

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied qemu-kvm access to potentially mislabeled file(s)
(/home/mbooth/.libvirt/qemu/lib). This means that SELinux will not allow
qemu-kvm to use these files. It is common for users to edit files in their home
directory or tmp directories and then move (mv) them to system directories. The
problem is that the files end up with the wrong file context which confined
applications are not allowed to access.

Allowing Access:

If you want qemu-kvm to access this files, you need to relabel them using
restorecon -v '/home/mbooth/.libvirt/qemu/lib'. You might want to relabel the
entire directory using restorecon -R -v '/home/mbooth/.libvirt/qemu/lib'.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c157,c679
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/mbooth/.libvirt/qemu/lib [ dir ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          t500.mbooth
Source RPM Packages           qemu-system-x86-0.11.0-11.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-50.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     t500.mbooth
Platform                      Linux t500.mbooth 2.6.31.5-127.fc12.x86_64 #1 SMP
                              Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 25 Nov 2009 11:41:24 GMT
Last Seen                     Wed 25 Nov 2009 11:41:24 GMT
Local ID                      6adf6173-7723-49ce-84c2-d81edea1e255
Line Numbers                  

Raw Audit Messages            

node=t500.mbooth type=AVC msg=audit(1259149284.842:59): avc:  denied  { write } for  pid=16606 comm="qemu-kvm" name="lib" dev=dm-1 ino=299260 scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

node=t500.mbooth type=AVC msg=audit(1259149284.842:59): avc:  denied  { add_name } for  pid=16606 comm="qemu-kvm" name="win7.monitor" scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

node=t500.mbooth type=AVC msg=audit(1259149284.842:59): avc:  denied  { create } for  pid=16606 comm="qemu-kvm" name="win7.monitor" scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=system_u:object_r:user_home_t:s0:c157,c679 tclass=sock_file

node=t500.mbooth type=SYSCALL msg=audit(1259149284.842:59): arch=c000003e syscall=49 success=yes exit=0 a0=a a1=7fffff174270 a2=6e a3=7fffff173fe0 items=0 ppid=1 pid=16606 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c157,c679 key=(null)

Comment 9 Matthew Booth 2009-11-25 11:46:36 UTC
Summary:

SELinux is preventing /usr/bin/qemu-kvm "name_connect" access.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c157,c679
Target Context                system_u:object_r:http_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          80
Host                          t500.mbooth
Source RPM Packages           qemu-system-x86-0.11.0-11.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-50.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     t500.mbooth
Platform                      Linux t500.mbooth 2.6.31.5-127.fc12.x86_64 #1 SMP
                              Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Alert Count                   0
First Seen                    Wed 25 Nov 2009 11:42:34 GMT
Last Seen                     Wed 25 Nov 2009 11:42:34 GMT
Local ID                      1b29fa2a-a5b2-41f4-9ffa-f9362338c3b4
Line Numbers                  

Raw Audit Messages            

node=t500.mbooth type=AVC msg=audit(1259149354.728:62): avc:  denied  { name_connect } for  pid=16606 comm="qemu-kvm" dest=80 scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

node=t500.mbooth type=SYSCALL msg=audit(1259149354.728:62): arch=c000003e syscall=42 success=no exit=-115 a0=15 a1=7fffff168f50 a2=10 a3=7fffff168cd0 items=0 ppid=1 pid=16606 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c157,c679 key=(null)

Comment 10 Daniel Walsh 2009-11-25 12:03:23 UTC
chcon -R -t svirt_var_run_t /home/mbooth/.libvirt/qemu

Will fix the first two.

I am fairly surprised that we have not seen the third.

Fixed in selinux-policy-3.6.32-51.fc12.noarch

Comment 11 Daniel Walsh 2009-11-25 12:05:23 UTC
Shouldn't the log file be opened append rather then write?

Comment 12 Daniel Berrangé 2009-11-25 12:15:31 UTC
Can SELinux tell the difference once the FD has been passed from libvirtd down to QEMU ?  libvirtd is responsible for opening the log file (either truncate or append mode), and then passes the open FD to QEMU as its stderr/out.  I didn't think SELinux would see a distinction from QEMU's context ?  If it can,then we can switch to always opening it for append and doing an explicit truncate() call in libvirtd.

Comment 13 Matthew Booth 2009-11-25 13:26:39 UTC
(In reply to comment #10)
> chcon -R -t svirt_var_run_t /home/mbooth/.libvirt/qemu
> 
> Will fix the first two.
> 
> I am fairly surprised that we have not seen the third.
> 
> Fixed in selinux-policy-3.6.32-51.fc12.noarch  

I don't see -51 in koji yet. I'll have a look later.

I can confirm the chcon makes the first 2 issues go away. What's the best way to automate this? How reliable is it for the policy to define labels for files in home directories?

Comment 14 Daniel Walsh 2009-11-25 14:11:49 UTC
Daniel.  I can change this to allow it to write to inherited files from libvirtd, in user_home_t and not have to set the labels.  But this means if libvirt leaks any other open files in the home dir it could truncate those.

I will build 51 at the end of the day.

I think there is a difference in how the virtual machines networking is set up that is causing the machine to need name_connect, since we have never allowed this before, I think most virtual machines run in libvirt must be using their own network devices rather then the process doing the name_connect itself.

Comment 15 Fedora Update System 2009-12-01 16:51:36 UTC
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12

Comment 16 Fedora Update System 2009-12-03 04:58:39 UTC
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549

Comment 17 Fedora Update System 2009-12-03 20:29:45 UTC
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12

Comment 18 Fedora Update System 2009-12-04 23:48:06 UTC
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650

Comment 19 Fedora Update System 2009-12-08 07:54:45 UTC
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2010-08-05 13:20:27 UTC
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12

Comment 21 Fedora Update System 2010-08-20 01:40:42 UTC
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.