Description of problem: Version-Release number of selected component (if applicable): [root@farina ~]# rpm -qa | grep selinux selinux-policy-3.7.19-28.fc13.noarch libselinux-utils-2.0.90-5.fc13.x86_64 selinux-policy-targeted-3.7.19-28.fc13.noarch libselinux-python-2.0.90-5.fc13.x86_64 libselinux-2.0.90-5.fc13.i686 libselinux-2.0.90-5.fc13.x86_64 [root@farina ~]# uname -r 2.6.33.5-124.fc13.x86_64 How reproducible: only ran into it once, haven't tried to reproduce Steps to Reproduce: 1. create a guest backed by an LVM LV 2. snapshot the guest 3. edit the /etc/libvirt/qemu/<guest.xml> to use the new snapshot LV 4. virsh create /etc/libvirt/qemu/<guest.xml>, after some time the guest will lock up and you will see SELinux denials Expected results: no denials Additional info: [root@farina ~]# lvs LV VG Attr LSize Origin Snap% Move Log Copy% Convert LogVol03 vg_farina -wi-ao 156.25g dirsrv8 vg_farina -wi-a- 10.00g guest1 vg_farina -wi-a- 10.00g lv_root vg_farina -wi-ao 24.41g lv_swap vg_farina -wi-ao 2.00g lv_var vg_farina -wi-ao 19.53g rhel52-1 vg_farina -wi-a- 10.00g rhel52-2 vg_farina -wi-a- 10.00g server102 vg_farina owi-a- 20.00g server102-snap vg_farina swi-ao 2.00g server102 0.00 station2 vg_farina owi-a- 20.00g station2-snap vg_farina swi-ao 2.00g station2 1.19 [root@farina ~]# dmsetup info -c Name Maj Min Stat Open Targ Event UUID vg_farina-server102--snap 253 14 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf5DbK4z5QhMxDD4iwANL1epyBryfGuHjo vg_farina-lv_swap 253 3 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfZAKmTBEfGDHyXjdjcd0ofntIjxcOyamc vg_farina-lv_root 253 2 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfEJznfX9Eb9AJNHGqzqo8FI93r372ngH1 vg_farina-LogVol03 253 0 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfN3b9XVakjSTOXI4B7qApQPCN9l9uwWOm luks-032780d5-3a73-4c3c-a427-b3e124473c0c 253 9 L--w 1 1 0 CRYPT-LUKS1-032780d53a734c3ca427b3e124473c0c-luks-032780d5-3a73-4c3c-a427-b3e124473c0c vg_farina-rhel52--2 253 5 L--w 0 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfDQtsEB8uteq0DeYIeGbwWiliBbCq6ljB vg_farina-server102--snap-cow 253 16 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf5DbK4z5QhMxDD4iwANL1epyBryfGuHjo-cow vg_farina-rhel52--1 253 4 L--w 0 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf6MhBzju77dkGpPo3E2wksD6OUKlFdLAu vg_farina-lv_var 253 1 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfqp9We2nshssyUVLXFV3HHAfpvTOllrXb vg_farina-station2--snap-cow 253 12 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfJPzMCjuibVrNgBPinjlUS1DzZ2BnpwN1-cow vg_farina-station2-real 253 11 L--w 2 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfTniFej7ytx2584G7iRlsVswM12lf5OiF-real vg_farina-guest1 253 6 L--w 0 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfzPv3NB1zamYrMsKFlswux8hvuh1Ye7Yk vg_farina-dirsrv8 253 7 L--w 0 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgf1ua6C7xpWoJzx2USxsPpfGprFW4PsYiS vg_farina-station2--snap 253 10 L--w 1 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfJPzMCjuibVrNgBPinjlUS1DzZ2BnpwN1 vg_farina-server102-real 253 15 L--w 2 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfGkzFIxyua2sy5sxQbyVfdN0MKPq4hUQ0-real vg_farina-station2 253 8 L--w 0 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfTniFej7ytx2584G7iRlsVswM12lf5OiF vg_farina-server102 253 13 L--w 0 1 0 LVM-6KjrwvdIwkhkEdaLQVRcKQshckfjhfgfGkzFIxyua2sy5sxQbyVfdN0MKPq4hUQ0 [root@farina ~]# ls -lZ /dev/vg_farina/station2 lrwxrwxrwx. root root system_u:object_r:device_t:s0 /dev/vg_farina/station2 -> ../dm-8 [root@farina ~]# ls -lZ /dev/vg_farina/station2-snap lrwxrwxrwx. root root system_u:object_r:device_t:s0 /dev/vg_farina/station2-snap -> ../dm-10 [root@farina ~]# ls -lZ /dev/dm-10 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10 [root@farina ~]# ls -lZ /dev/dm-8 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8
I meant to put this as the description: Summary: SELinux is preventing qemu-kvm "write" access on /dev/dm-10. Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c469,c844 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects /dev/dm-10 [ blk_file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host farina.dj.edm Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-28.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name farina.dj.edm Platform Linux farina.dj.edm 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 1277 First Seen Wed 07 Jul 2010 11:18:06 AM EDT Last Seen Wed 07 Jul 2010 11:18:55 AM EDT Local ID 3f883c07-c279-4dc9-acd9-2e83f7475673 Line Numbers Raw Audit Messages node=farina.dj.edm type=AVC msg=audit(1278515935.255:39984): avc: denied { write } for pid=9210 comm="qemu-kvm" path="/dev/dm-10" dev=devtmpfs ino=86943 scontext=system_u:system_r:svirt_t:s0:c469,c844 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Check the label of /dev/dm-10 after you start the guest, it should be labeled something like svirt_image_t:s0:469,c844 If it is then this might be udev or someone running restorecon on the /dev. If not then this is a libvirt bug.
There was a bug recently in udev blowing away the security context on devices, but not sure if its fixed in F13 or not offhand.
Would need this: http://git.kernel.org/?p=linux/hotplug/udev.git;a=blob;f=udev/udev-node.c;h=4314cceb79893d8f966ff8aa056ea8e7d265e766;hb=HEAD#l58
http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=578cc8a8085a47c963b5940459e475ac5f07219c
see also bug 571714
Yes, that's the bug/patch I was thinking of.
udev-153-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/udev-153-1.fc13
udev-153-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/udev-153-2.fc13
udev-153-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update udev'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/udev-153-2.fc13
udev-153-3.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/udev-153-3.fc13
udev-153-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.