Hide Forgot
Description of problem: When doing hotunplug of a disk, we accidentally audit 'fail' in the successful path, and don't audit anything in the failure path. http://www.redhat.com/archives/libvir-list/2011-June/msg00083.html Version-Release number of selected component (if applicable): 0.8.7-18.el6 How reproducible: Always Steps to Reproduce: 1. cat > tck.xml <<EOF <domain type="qemu"> <name>tck</name> <memory>65536</memory> <currentMemory>65536</currentMemory> <os> <type>hvm</type> <kernel>/var/cache/libvirt-tck/os-i686-hvm/vmlinuz</kernel> <initrd>/var/cache/libvirt-tck/os-i686-hvm/initrd</initrd> </os> <features> <acpi /> <apic /> </features> <devices> <disk type="file"> <source file="/var/cache/libvirt-tck/os-i686-hvm/disk.img" /> <target dev="vda" /> </disk> <console type="pty" /> </devices> </domain> EOF 2. cat > disk.xml <<EOF <disk type="file"> <source file="/var/cache/libvirt-tck/os-i686-hvm/disk.img" /> <target dev="vda" /> </disk> EOF 3. virsh create tck.xml 4. virsh detach-device tck disk.xml 5. # grep detach /var/log/audit/audit.log Actual results: type=VIRT_RESOURCE msg=audit(1307025151.862:3365): user pid=27880 uid=0 auid=0 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=disk reason=detach vm="tck" uuid=dceb1d2d-3dd7-3222-129c-a44cd5f2ba69 old-disk="/var/cache/libvirt-tck/os-i686-hvm/disk.img" new-disk="?": exe="/usr/sbin/libvirtd.old" hostname=? addr=? terminal=pts/3 res=failed' Expected results: type=VIRT_RESOURCE msg=audit(1307025113.581:3317): user pid=27671 uid=0 auid=0 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=disk reason=detach vm="tck" uuid=f5d0a05d-a363-9669-8247-1c4370b3a324 old-disk="/var/cache/libvirt-tck/os-i686-hvm/disk.img" new-disk="?": exe="/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/3 res=success' Additional info:
RHEL 6.2 will pick this up automatically when rebasing to 0.9.2 or later, thanks to upstream: commit 020342e68debddff641f70f87b5c6991c128648a Author: Daniel P. Berrange <berrange> Date: Thu Jun 2 14:52:24 2011 +0100 Fix auditing of disk hotunplug operations The qemuAuditDisk calls in disk hotunplug operations were being passed 'ret >= 0', but the code which sets ret to 0 was not yet executed, and the error path had already jumped to the 'cleanup' label. This meant hotunplug failures were never audited, and hotunplug success was audited as a failure * src/qemu/qemu_hotplug.c: Fix auditing of hotunplug
Additionally, this patch is ready for 6.1.z once the z-stream bz is created: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-June/msg00030.html
This should be fixed by the libvirt-0.9.2-1.el6 rebase
verify pass on libvirt-0.9.2-1.el6.x86_64 kernel-2.6.32-156.el6.x86_64 qemu-kvm-0.12.1.2-2.165.el6.x86_64 the steps is as Description shows.
Set it as VERIFIED per comment6
*** Bug 712141 has been marked as a duplicate of this bug. ***
Two 6.1.z-stream bugs were filed against this; bug 712141 was later reassigned back to 6.2, so only bug 728516 remains to track the fix in 6.1.z.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Due to a bug in the qemuAuditDisk() function, hot unplug failures were never audited, and a hot unplug success was audited as a failure. This bug has been fixed, and auditing of disk hot unplug operations now works as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html