Bug 546801 - SELinux is preventing the /usr/bin/qemu-kvm from using potentially mislabeled files (/home/juan/Downloads).
Summary: SELinux is preventing the /usr/bin/qemu-kvm from using potentially mislabeled...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:78751e3eb6b...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-12-12 00:22 UTC by Otto Rey
Modified: 2009-12-22 20:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-12-22 20:42:27 UTC
Type: ---

Attachments (Terms of Use)

Description Otto Rey 2009-12-12 00:22:15 UTC

SELinux is preventing the /usr/bin/qemu-kvm from using potentially mislabeled
files (/home/juan/Downloads).

Descripción Detallada:

[SELinux esta en modo permisivo. Este acceso no fue denegado.]

SELinux has denied qemu-kvm access to potentially mislabeled file(s)
(/home/juan/Downloads). This means that SELinux will not allow qemu-kvm to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Permitiendo Acceso:

If you want qemu-kvm to access this files, you need to relabel them using
restorecon -v '/home/juan/Downloads'. You might want to relabel the entire
directory using restorecon -R -v '<Unknown>'.

Información Adicional:

Contexto Fuente               system_u:system_r:svirt_t:s0:c435,c879
Contexto Destino              unconfined_u:object_r:user_home_t:s0
Objetos Destino               /home/juan/Downloads [ lnk_file ]
Fuente                        qemu-kvm
Dirección de Fuente          /usr/bin/qemu-kvm
Puerto                        <Desconocido>
Nombre de Equipo              (removed)
Paquetes RPM Fuentes          qemu-system-x86-0.11.0-11.fc12
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.6.32-41.fc12
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Permissive
Nombre de Plugin              home_tmp_bad_labels
Nombre de Equipo              (removed)
Plataforma                    Linux (removed)
                     #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
Cantidad de Alertas           1
Visto por Primera Vez         mié 18 nov 2009 00:50:02 ART
Visto por Última Vez         mié 18 nov 2009 00:50:02 ART
ID Local                      4ac6adc8-b984-4a48-886c-878c368b1cd5
Números de Línea            

Mensajes de Auditoría Crudos 

node=(removed) type=AVC msg=audit(1258516202.465:22104): avc:  denied  { read } for  pid=2741 comm="qemu-kvm" name="Downloads" dev=sda3 ino=68780 scontext=system_u:system_r:svirt_t:s0:c435,c879 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file

node=(removed) type=SYSCALL msg=audit(1258516202.465:22104): arch=c000003e syscall=4 success=yes exit=0 a0=7fffee30b230 a1=7fffee308880 a2=7fffee308880 a3=7fffee308610 items=0 ppid=1 pid=2741 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c435,c879 key=(null)

Hash String generated from  selinux-policy-3.6.32-41.fc12,home_tmp_bad_labels,qemu-kvm,svirt_t,user_home_t,lnk_file,read
audit2allow suggests:

#============= svirt_t ==============
allow svirt_t user_home_t:lnk_file read;

Comment 1 Daniel Walsh 2009-12-12 12:32:20 UTC

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-59.fc12.noarch

Comment 2 Fedora Update System 2009-12-16 13:54:52 UTC
selinux-policy-3.6.32-59.fc12 has been submitted as an update for Fedora 12.

Comment 3 Fedora Update System 2009-12-18 04:43:03 UTC
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13384

Note You need to log in before you can comment on or make changes to this bug.