Bug 710151 - Auditing of QEMU driver disk hotunplug events logs is missing and/or incorrect
Summary: Auditing of QEMU driver disk hotunplug events logs is missing and/or incorrect
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libvirt
Version: 5.6
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: rc
: ---
Assignee: Eric Blake
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 713444 713446
TreeView+ depends on / blocked
 
Reported: 2011-06-02 14:36 UTC by Daniel Berrangé
Modified: 2011-07-21 10:31 UTC (History)
8 users (show)

Fixed In Version: libvirt-0.8.2-22.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 710150
Environment:
Last Closed: 2011-07-21 10:31:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1019 0 normal SHIPPED_LIVE Moderate: libvirt security, bug fix, and enhancement update 2011-07-21 10:31:00 UTC

Description Daniel Berrangé 2011-06-02 14:36:03 UTC 
+++ This bug was initially created as a clone of Bug #710150 +++

Description of problem:

When doing hotunplug of a disk, we accidentally audit 'fail' in the successful path, and don't audit anything in the failure path. 

http://www.redhat.com/archives/libvir-list/2011-June/msg00083.html

Version-Release number of selected component (if applicable):
0.8.7-18.el6

How reproducible:
Always

Steps to Reproduce:
1. cat > tck.xml <<EOF
<domain type="qemu">
  <name>tck</name>
  <memory>65536</memory>
  <currentMemory>65536</currentMemory>
  <os>
    <type>hvm</type>
    <kernel>/var/cache/libvirt-tck/os-i686-hvm/vmlinuz</kernel>
    <initrd>/var/cache/libvirt-tck/os-i686-hvm/initrd</initrd>
  </os>
  <features>
    <acpi />
    <apic />
  </features>
  <devices>
    <disk type="file">
      <source file="/var/cache/libvirt-tck/os-i686-hvm/disk.img" />
      <target dev="vda" />
    </disk>
    <console type="pty" />
  </devices>
</domain>
EOF

2. cat > disk.xml <<EOF
  <disk type="file">
      <source file="/var/cache/libvirt-tck/os-i686-hvm/disk.img" />
      <target dev="vda" />
    </disk>
EOF
3. virsh create tck.xml
4. virsh detach-device tck disk.xml
5. # grep detach /var/log/audit/audit.log 
  
Actual results:
type=VIRT_RESOURCE msg=audit(1307025151.862:3365): user pid=27880 uid=0 auid=0 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=disk reason=detach vm="tck" uuid=dceb1d2d-3dd7-3222-129c-a44cd5f2ba69 old-disk="/var/cache/libvirt-tck/os-i686-hvm/disk.img" new-disk="?": exe="/usr/sbin/libvirtd.old" hostname=? addr=? terminal=pts/3 res=failed'


Expected results:
type=VIRT_RESOURCE msg=audit(1307025113.581:3317): user pid=27671 uid=0 auid=0 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=disk reason=detach vm="tck" uuid=f5d0a05d-a363-9669-8247-1c4370b3a324 old-disk="/var/cache/libvirt-tck/os-i686-hvm/disk.img" new-disk="?": exe="/home/berrange/src/virt/libvirt/daemon/.libs/lt-libvirtd" hostname=? addr=? terminal=pts/3 res=success'


Additional info:
Comment 1 Eric Blake 2011-06-02 21:20:04 UTC 
In POST for 5.8; the same patch should work without issues for 5.7.z and 5.6.z once the z-stream bz's are cloned:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-June/msg00031.html
Comment 7 dyuan 2011-06-30 05:50:53 UTC 
kernel-2.6.18-269.el5
kvm-83-238.el5

Reproduced this bug with libvirt-0.8.2-15.el5(RHEL5.6).
Cann't be reproduced with libvirt-0.8.2-20.el5(RHEL5.7).
Verified pass with libvirt-0.8.2-22.el5.
Comment 8 errata-xmlrpc 2011-07-21 10:31:35 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-1019.html
Note You need to log in before you can comment on or make changes to this bug.