Summary: SELinux is preventing /usr/bin/qemu-kvm "transition" access on /usr/bin/qemu-kvm. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:system_r:svirt_t:s0:c311,c786 Target Objects /usr/bin/qemu-kvm [ process ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host (removed) Source RPM Packages qemu-system-x86-0.11.0-11.fc12 Target RPM Packages qemu-system-x86-0.11.0-11.fc12 Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Mon 23 Nov 2009 11:03:13 GMT Last Seen Mon 23 Nov 2009 11:03:13 GMT Local ID e36f6d9f-7b02-4126-a0dc-19c2d0f20909 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1258974193.391:322): avc: denied { transition } for pid=11254 comm="lt-libvirtd" path="/usr/bin/qemu-kvm" dev=dm-5 ino=153477 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c311,c786 tclass=process node=(removed) type=SYSCALL msg=audit(1258974193.391:322): arch=c000003e syscall=59 success=yes exit=0 a0=7f8714000f80 a1=7f8714002480 a2=7f8714000a90 a3=7f87275fce30 items=0 ppid=1 pid=11254 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c786 key=(null) Hash String generated from selinux-policy-3.6.32-41.fc12,catchall,qemu-kvm,unconfined_t,svirt_t,process,transition audit2allow suggests: #============= unconfined_t ============== allow unconfined_t svirt_t:process transition;
This is caused by you running libvirt as unconfined_t rather then as a service. If you run libvirtd directly it will not transition, if you run service libvirtd restart it will run under the proper context.
Actually I think the difference is that I'm using the usermode connection (qemu:///session) which runs as a regular user. So, I start a domain with: virsh -c qemu:///session start win7 I re-opened the bug. I would prefer to set it to NEW again, however, that doesn't appear to be an option.
This uses the libvirtd code without using the daemon correct. I guess I can add a transition from unconfined_t to svirt_t. Fixed in selinux-policy-3.6.32-50.fc12.noarch
Yes, when using qemu:///session, the libvirtd daemon instance is running as the user's own account, spawned automatically in the context of the user's login session, and so would be unconfined instead of virtd_t.
Matthew -50 was built in koji, can you try this out.
Just tested it. The original error does go away, however I get 3 more. I'll put them in individual comments below.
Summary: SELinux is preventing /usr/bin/qemu-kvm access to a leaked /home/mbooth/.libvirt/qemu/log/win7.log file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the qemu-kvm command. It looks like this is either a leaked descriptor or qemu-kvm output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /home/mbooth/.libvirt/qemu/log/win7.log. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:svirt_t:s0:c157,c679 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/mbooth/.libvirt/qemu/log/win7.log [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host t500.mbooth Source RPM Packages qemu-system-x86-0.11.0-11.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-50.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name t500.mbooth Platform Linux t500.mbooth 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Wed 25 Nov 2009 11:41:24 GMT Last Seen Wed 25 Nov 2009 11:41:24 GMT Local ID 930c7a05-8758-4b30-b6cd-393b81a18035 Line Numbers Raw Audit Messages node=t500.mbooth type=AVC msg=audit(1259149284.827:58): avc: denied { write } for pid=16606 comm="qemu-kvm" path="/home/mbooth/.libvirt/qemu/log/win7.log" dev=dm-1 ino=1305604 scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file node=t500.mbooth type=SYSCALL msg=audit(1259149284.827:58): arch=c000003e syscall=59 success=yes exit=0 a0=7f5cd40bb580 a1=7f5cd400d610 a2=7f5cd41fe190 a3=7f5cded22e20 items=0 ppid=1 pid=16606 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c157,c679 key=(null)
Summary: SELinux is preventing the /usr/bin/qemu-kvm from using potentially mislabeled files (/home/mbooth/.libvirt/qemu/lib). Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied qemu-kvm access to potentially mislabeled file(s) (/home/mbooth/.libvirt/qemu/lib). This means that SELinux will not allow qemu-kvm to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want qemu-kvm to access this files, you need to relabel them using restorecon -v '/home/mbooth/.libvirt/qemu/lib'. You might want to relabel the entire directory using restorecon -R -v '/home/mbooth/.libvirt/qemu/lib'. Additional Information: Source Context system_u:system_r:svirt_t:s0:c157,c679 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/mbooth/.libvirt/qemu/lib [ dir ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host t500.mbooth Source RPM Packages qemu-system-x86-0.11.0-11.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-50.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name t500.mbooth Platform Linux t500.mbooth 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 3 First Seen Wed 25 Nov 2009 11:41:24 GMT Last Seen Wed 25 Nov 2009 11:41:24 GMT Local ID 6adf6173-7723-49ce-84c2-d81edea1e255 Line Numbers Raw Audit Messages node=t500.mbooth type=AVC msg=audit(1259149284.842:59): avc: denied { write } for pid=16606 comm="qemu-kvm" name="lib" dev=dm-1 ino=299260 scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir node=t500.mbooth type=AVC msg=audit(1259149284.842:59): avc: denied { add_name } for pid=16606 comm="qemu-kvm" name="win7.monitor" scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir node=t500.mbooth type=AVC msg=audit(1259149284.842:59): avc: denied { create } for pid=16606 comm="qemu-kvm" name="win7.monitor" scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=system_u:object_r:user_home_t:s0:c157,c679 tclass=sock_file node=t500.mbooth type=SYSCALL msg=audit(1259149284.842:59): arch=c000003e syscall=49 success=yes exit=0 a0=a a1=7fffff174270 a2=6e a3=7fffff173fe0 items=0 ppid=1 pid=16606 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c157,c679 key=(null)
Summary: SELinux is preventing /usr/bin/qemu-kvm "name_connect" access. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c157,c679 Target Context system_u:object_r:http_port_t:s0 Target Objects None [ tcp_socket ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port 80 Host t500.mbooth Source RPM Packages qemu-system-x86-0.11.0-11.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-50.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name t500.mbooth Platform Linux t500.mbooth 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 0 First Seen Wed 25 Nov 2009 11:42:34 GMT Last Seen Wed 25 Nov 2009 11:42:34 GMT Local ID 1b29fa2a-a5b2-41f4-9ffa-f9362338c3b4 Line Numbers Raw Audit Messages node=t500.mbooth type=AVC msg=audit(1259149354.728:62): avc: denied { name_connect } for pid=16606 comm="qemu-kvm" dest=80 scontext=system_u:system_r:svirt_t:s0:c157,c679 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket node=t500.mbooth type=SYSCALL msg=audit(1259149354.728:62): arch=c000003e syscall=42 success=no exit=-115 a0=15 a1=7fffff168f50 a2=10 a3=7fffff168cd0 items=0 ppid=1 pid=16606 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c157,c679 key=(null)
chcon -R -t svirt_var_run_t /home/mbooth/.libvirt/qemu Will fix the first two. I am fairly surprised that we have not seen the third. Fixed in selinux-policy-3.6.32-51.fc12.noarch
Shouldn't the log file be opened append rather then write?
Can SELinux tell the difference once the FD has been passed from libvirtd down to QEMU ? libvirtd is responsible for opening the log file (either truncate or append mode), and then passes the open FD to QEMU as its stderr/out. I didn't think SELinux would see a distinction from QEMU's context ? If it can,then we can switch to always opening it for append and doing an explicit truncate() call in libvirtd.
(In reply to comment #10) > chcon -R -t svirt_var_run_t /home/mbooth/.libvirt/qemu > > Will fix the first two. > > I am fairly surprised that we have not seen the third. > > Fixed in selinux-policy-3.6.32-51.fc12.noarch I don't see -51 in koji yet. I'll have a look later. I can confirm the chcon makes the first 2 issues go away. What's the best way to automate this? How reliable is it for the policy to define labels for files in home directories?
Daniel. I can change this to allow it to write to inherited files from libvirtd, in user_home_t and not have to set the labels. But this means if libvirt leaks any other open files in the home dir it could truncate those. I will build 51 at the end of the day. I think there is a difference in how the virtual machines networking is set up that is causing the machine to need name_connect, since we have never allowed this before, I think most virtual machines run in libvirt must be using their own network devices rather then the process doing the name_connect itself.
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.