Bug 691622
| Summary: | AVC denied to create a channel with socket type | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | zhanghaiyan <yoyzhang> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dwalsh, dyuan, mgrepl, mmalik, veillard |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-30 02:18:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Also failed to create a guest with socket-virtioserial channel
The guest contains the following xml info in its guest config file
<controller type='virtio-serial' index='0'/>
<channel type='unix'>
<source mode='bind' path='/tmp/guestfwd'/>
<target type='virtio' name='org.linux-kvm.port.1'/>
</channel>
# virsh start rhel6-qcow2
error: Failed to start domain rhel6-qcow2
error: internal error process exited while connecting to monitor: bind(unix:/tmp/guestfwd): Address already in use
chardev: opening backend "socket" failed
# tail -f /var/log/messages
Mar 28 23:23:57 dhcp-65-132 kernel: device vnet0 entered promiscuous mode
Mar 28 23:23:57 dhcp-65-132 kernel: virbr0: topology change detected, propagating
Mar 28 23:23:57 dhcp-65-132 kernel: virbr0: port 2(vnet0) entering forwarding state
Mar 28 23:23:57 dhcp-65-132 libvirtd: 23:23:57.768: 1933: info : libvirt version: 0.8.7, package: 14.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2011-03-22-07:21:03, x86-002.build.bos.redhat.com)
Mar 28 23:23:57 dhcp-65-132 libvirtd: 23:23:57.768: 1933: warning : qemudStartVMDaemon:3282 : Executing /usr/libexec/qemu-kvm
Mar 28 23:23:57 dhcp-65-132 libvirtd: 23:23:57.773: 1933: warning : qemudStartVMDaemon:3292 : Executing done /usr/libexec/qemu-kvm
Mar 28 23:23:57 dhcp-65-132 NetworkManager[1480]: <warn> /sys/devices/virtual/net/vnet0: couldn't determine device driver; ignoring...
Mar 28 23:23:57 dhcp-65-132 kernel: type=1400 audit(1301369037.819:9): avc: denied { unlink } for pid=2604 comm="qemu-kvm" name="guestfwd" dev=sda1 ino=2768982 scontext=system_u:system_r:svirt_t:s0:c662,c884 tcontext=system_u:object_r:tmp_t:s0:c225,c503 tclass=sock_file
Mar 28 23:23:57 dhcp-65-132 kernel: virbr0: port 2(vnet0) entering disabled state
Mar 28 23:23:57 dhcp-65-132 kernel: device vnet0 left promiscuous mode
Mar 28 23:23:57 dhcp-65-132 kernel: virbr0: port 2(vnet0) entering disabled state
Which AVC messages are you seeing in /var/log/audit/audit.log in permissive mode? In permissive mode, # virsh start rhel6-qcow2
Domain rhel6-qcow2 started
#tail -f /var/log/audit/audit.log
type=VIRT_MACHINE_ID msg=audit(1301393382.064:153): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 vm-ctx=system_u:system_r:svirt_t:s0:c681,c744 img-ctx=system_u:object_r:svirt_image_t:s0:c681,c744: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.157:154): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=deny vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=all: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.157:155): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=major category=pty maj=88 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:156): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/null rdev=01:03 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:157): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/full rdev=01:07 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:158): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/zero rdev=01:05 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:159): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/random rdev=01:08 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:160): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/urandom rdev=01:09 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:161): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/ptmx rdev=05:02 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:162): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/kvm rdev=0A:E8 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:163): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/kqemu rdev=? acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
type=VIRT_RESOURCE msg=audit(1301393382.158:164): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/rtc rdev=FE:00 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.158:165): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=cgroup reason=allow vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 cgroup="/cgroup/devices/libvirt/qemu/rhel6-qcow2/" class=path path=/dev/hpet rdev=0A:E4 acl=rw: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=ANOM_PROMISCUOUS msg=audit(1301393382.160:166): dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=VIRT_RESOURCE msg=audit(1301393382.161:167): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=net reason=open vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 net='52:54:00:AC:0B:F8' path="/dev/net/tun" rdev=0A:C8: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1301393382.201:168): avc: denied { unlink } for pid=19112 comm="qemu-kvm" name="serial.sock" dev=sda1 ino=2768962 scontext=system_u:system_r:svirt_t:s0:c681,c744 tcontext=system_u:object_r:tmp_t:s0:c552,c840 tclass=sock_file
type=SYSCALL msg=audit(1301393382.201:168): arch=c000003e syscall=87 success=yes exit=0 a0=7fff0d2908c2 a1=64c9e9 a2=7fff0d2908d2 a3=fffffff0 items=0 ppid=1 pid=19112 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c681,c744 key=(null)
type=AVC msg=audit(1301393382.201:169): avc: denied { create } for pid=19112 comm="qemu-kvm" name="serial.sock" scontext=system_u:system_r:svirt_t:s0:c681,c744 tcontext=system_u:object_r:tmp_t:s0:c681,c744 tclass=sock_file
type=SYSCALL msg=audit(1301393382.201:169): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fff0d2908c0 a2=6e a3=fffffff0 items=0 ppid=1 pid=19112 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c681,c744 key=(null)
type=VIRT_RESOURCE msg=audit(1301393382.371:170): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=disk reason=start vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 old-disk="?" new-disk="/var/lib/libvirt/images/rhel6-qcow2.img": exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.371:171): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=net reason=start vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 old-net='?' new-net='52:54:00:AC:0B:F8': exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.371:172): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=mem reason=start vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 old-mem=0 new-mem=1048576: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1301393382.371:173): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='resrc=vcpu reason=start vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7 old-vcpu=0 new-vcpu=1: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_CONTROL msg=audit(1301393382.371:174): user pid=1903 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='op=start reason=booted vm="rhel6-qcow2" uuid=59c272be-74d5-72e5-11c5-b86196fafdd7: exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
We currently don't allow svirt_t to work in /tmp. It would have been allowed to do this in a directory labeled qemu_var_run_t. /var/lib/libvirt/qemu or /var/run/libvirt/qemu If you feal it should be allowed in /tmp, I guess we can add it. |
Description of problem: In enforing selinux status, failed to create a channel with socket-virtconsole type Version-Release number of selected component (if applicable): - selinux-policy-3.7.19-80.el6.noarch - 2.6.32-125.el6.x86_64 - qemu-kvm-0.12.1.2-2.152.el6.x86_64 - libvirt-0.8.7-14.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Define a guest containing the following xml info in config file <controller type='virtio-serial' index='0'/> <console type='unix'> <source mode='bind' path='/tmp/serial.sock'/> <target type='virtio' port='0'/> </console> 2. # getenforce Enforcing 3. # virsh start rhel6-qcow2 error: Failed to start domain rhel6-qcow2 error: internal error process exited while connecting to monitor: bind(unix:/tmp/serial.sock): Address already in use chardev: opening backend "socket" failed Actual results: 3. Failed to start the guest in enforing selinux If #setenforce 0, then could start the guest Expected results: 3. Succeed to start the guest in enforing selinux Additional info: # tail -f /var/log/messages Mar 28 22:56:55 dhcp-65-132 kernel: device vnet1 entered promiscuous mode Mar 28 22:56:55 dhcp-65-132 kernel: virbr0: topology change detected, propagating Mar 28 22:56:55 dhcp-65-132 kernel: virbr0: port 3(vnet1) entering forwarding state Mar 28 22:56:55 dhcp-65-132 libvirtd: 22:56:55.338: 7076: warning : qemudStartVMDaemon:3282 : Executing /usr/libexec/qemu-kvm Mar 28 22:56:55 dhcp-65-132 libvirtd: 22:56:55.343: 7076: warning : qemudStartVMDaemon:3292 : Executing done /usr/libexec/qemu-kvm Mar 28 22:56:55 dhcp-65-132 NetworkManager[1452]: <warn> /sys/devices/virtual/net/vnet1: couldn't determine device driver; ignoring... Mar 28 22:56:55 dhcp-65-132 kernel: type=1400 audit(1301367415.390:23): avc: denied { unlink } for pid=7313 comm="qemu-kvm" name="serial.sock" dev=sda1 ino=2768962 scontext=system_u:system_r:svirt_t:s0:c168,c532 tcontext=system_u:object_r:tmp_t:s0:c184,c486 tclass=sock_file Mar 28 22:56:55 dhcp-65-132 kernel: virbr0: port 3(vnet1) entering disabled state Mar 28 22:56:55 dhcp-65-132 kernel: device vnet1 left promiscuous mode Mar 28 22:56:55 dhcp-65-132 kernel: virbr0: port 3(vnet1) entering disabled state