Bug 612229 - SELinux prevents qemu-kvm from writing to LVM snapshot
Summary: SELinux prevents qemu-kvm from writing to LVM snapshot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: udev
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-07 15:51 UTC by John Brier
Modified: 2013-08-14 23:05 UTC (History)
11 users (show)

Fixed In Version: udev-153-3.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-08-20 01:27:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description John Brier 2010-07-07 15:51:18 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
[root@farina ~]# rpm -qa | grep  selinux
selinux-policy-3.7.19-28.fc13.noarch
libselinux-utils-2.0.90-5.fc13.x86_64
selinux-policy-targeted-3.7.19-28.fc13.noarch
libselinux-python-2.0.90-5.fc13.x86_64
libselinux-2.0.90-5.fc13.i686
libselinux-2.0.90-5.fc13.x86_64
[root@farina ~]# uname -r
2.6.33.5-124.fc13.x86_64



How reproducible:

only ran into it once, haven't tried to reproduce


Steps to Reproduce:
1. create a guest backed by an LVM LV
2. snapshot the guest
3. edit the /etc/libvirt/qemu/<guest.xml> to use the new snapshot LV
4. virsh create /etc/libvirt/qemu/<guest.xml>, after some time the guest will lock up and you will see SELinux denials
  


Expected results:
no denials



Additional info:

[root@farina ~]# lvs
  LV             VG        Attr   LSize   Origin    Snap%  Move Log Copy%  Convert
  LogVol03       vg_farina -wi-ao 156.25g                                         
  dirsrv8        vg_farina -wi-a-  10.00g                                         
  guest1         vg_farina -wi-a-  10.00g                                         
  lv_root        vg_farina -wi-ao  24.41g                                         
  lv_swap        vg_farina -wi-ao   2.00g                                         
  lv_var         vg_farina -wi-ao  19.53g                                         
  rhel52-1       vg_farina -wi-a-  10.00g                                         
  rhel52-2       vg_farina -wi-a-  10.00g                                         
  server102      vg_farina owi-a-  20.00g                                         
  server102-snap vg_farina swi-ao   2.00g server102   0.00                        
  station2       vg_farina owi-a-  20.00g                                         
  station2-snap  vg_farina swi-ao   2.00g station2    1.19  
[root@farina ~]# dmsetup info -c
Name                                      Maj Min Stat Open Targ Event  UUID                                                                                  
vg_farina-server102--snap                 253  14 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf5DbK4z5QhMxDD4iwANL1epyBryfGuHjo                  
vg_farina-lv_swap                         253   3 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfZAKmTBEfGDHyXjdjcd0ofntIjxcOyamc                  
vg_farina-lv_root                         253   2 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfEJznfX9Eb9AJNHGqzqo8FI93r372ngH1                  
vg_farina-LogVol03                        253   0 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfN3b9XVakjSTOXI4B7qApQPCN9l9uwWOm                  
luks-032780d5-3a73-4c3c-a427-b3e124473c0c 253   9 L--w    1    1      0 CRYPT-LUKS1-032780d53a734c3ca427b3e124473c0c-luks-032780d5-3a73-4c3c-a427-b3e124473c0c
vg_farina-rhel52--2                       253   5 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfDQtsEB8uteq0DeYIeGbwWiliBbCq6ljB                  
vg_farina-server102--snap-cow             253  16 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf5DbK4z5QhMxDD4iwANL1epyBryfGuHjo-cow              
vg_farina-rhel52--1                       253   4 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf6MhBzju77dkGpPo3E2wksD6OUKlFdLAu                  
vg_farina-lv_var                          253   1 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfqp9We2nshssyUVLXFV3HHAfpvTOllrXb                  
vg_farina-station2--snap-cow              253  12 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfJPzMCjuibVrNgBPinjlUS1DzZ2BnpwN1-cow              
vg_farina-station2-real                   253  11 L--w    2    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfTniFej7ytx2584G7iRlsVswM12lf5OiF-real             
vg_farina-guest1                          253   6 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfzPv3NB1zamYrMsKFlswux8hvuh1Ye7Yk                  
vg_farina-dirsrv8                         253   7 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf1ua6C7xpWoJzx2USxsPpfGprFW4PsYiS                  
vg_farina-station2--snap                  253  10 L--w    1    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfJPzMCjuibVrNgBPinjlUS1DzZ2BnpwN1                  
vg_farina-server102-real                  253  15 L--w    2    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfGkzFIxyua2sy5sxQbyVfdN0MKPq4hUQ0-real             
vg_farina-station2                        253   8 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfTniFej7ytx2584G7iRlsVswM12lf5OiF                  
vg_farina-server102                       253  13 L--w    0    1      0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfGkzFIxyua2sy5sxQbyVfdN0MKPq4hUQ0                  
[root@farina ~]# ls -lZ /dev/vg_farina/station2
lrwxrwxrwx. root root system_u:object_r:device_t:s0    /dev/vg_farina/station2 -> ../dm-8
[root@farina ~]# ls -lZ /dev/vg_farina/station2-snap 
lrwxrwxrwx. root root system_u:object_r:device_t:s0    /dev/vg_farina/station2-snap -> ../dm-10
[root@farina ~]# ls -lZ /dev/dm-10
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10
[root@farina ~]# ls -lZ /dev/dm-8
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8
Comment 1 John Brier 2010-07-07 15:52:28 UTC 
I meant to put this as the description:

Summary:

SELinux is preventing qemu-kvm "write" access on /dev/dm-10.

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c469,c844
Target Context                system_u:object_r:fixed_disk_device_t:s0
Target Objects                /dev/dm-10 [ blk_file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          farina.dj.edm
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     farina.dj.edm
Platform                      Linux farina.dj.edm 2.6.33.5-124.fc13.x86_64 #1
                              SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   1277
First Seen                    Wed 07 Jul 2010 11:18:06 AM EDT
Last Seen                     Wed 07 Jul 2010 11:18:55 AM EDT
Local ID                      3f883c07-c279-4dc9-acd9-2e83f7475673
Line Numbers                  

Raw Audit Messages            

node=farina.dj.edm type=AVC msg=audit(1278515935.255:39984): avc:  denied  { write } for  pid=9210 comm="qemu-kvm" path="/dev/dm-10" dev=devtmpfs ino=86943 scontext=system_u:system_r:svirt_t:s0:c469,c844 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Comment 2 Daniel Walsh 2010-07-12 20:11:51 UTC 
Check the label of /dev/dm-10 after you start the guest, it should be labeled something like svirt_image_t:s0:469,c844

If it is then this might be udev or someone running restorecon on the /dev.

If not then this is a libvirt bug.
Comment 3 Daniel Berrangé 2010-07-13 12:50:46 UTC 
There was a bug recently in udev blowing away the security context on devices, but not sure if its fixed in F13 or not offhand.
Comment 4 Harald Hoyer 2010-07-13 13:07:12 UTC 
Would need this:

 http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob;f=udev/udev-node.c;h=4314cceb79893d8f966ff8aa056ea8e7d265e766;hb=HEAD#l58
Comment 5 Harald Hoyer 2010-07-13 13:08:03 UTC 
http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=578cc8a8085a47c963b5940459e475ac5f07219c
Comment 6 Harald Hoyer 2010-07-13 13:08:30 UTC 
see also bug 571714
Comment 7 Daniel Berrangé 2010-07-13 13:19:22 UTC 
Yes, that's the bug/patch I was thinking of.
Comment 8 Fedora Update System 2010-08-04 13:08:22 UTC 
udev-153-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/udev-153-1.fc13
Comment 9 Fedora Update System 2010-08-05 06:49:35 UTC 
udev-153-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/udev-153-2.fc13
Comment 10 Fedora Update System 2010-08-05 23:48:39 UTC 
udev-153-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update udev'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/udev-153-2.fc13
Comment 11 Fedora Update System 2010-08-13 08:39:24 UTC 
udev-153-3.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/udev-153-3.fc13
Comment 12 Fedora Update System 2010-08-20 01:27:04 UTC 
udev-153-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.