Hide Forgot
Description of problem: On Raw Hide, I get these in my audit log when I try to start my VM: type=AVC msg=audit(1308089254.399:2480): avc: denied { append } for pid=22444 comm="qemu-kvm" path="/var/log/libvirt/qemu/cats.log" dev=dm-6 ino=3164867 scontext=system_u:system_r:svirt_t:s0:c169,c553 tcontext=system_u:object_r:virt_log_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.9.16-28.fc16.noarch How reproducible: Always Steps to Reproduce: 1. Using virt-manager, create a VM named "cats" and try to start it. Actual results: Failure to start, audit log entry for AVC denial. Expected results: Successful start. Additional info: This seems to have been allowed in selinux-policy-3.9.16-26.fc15.noarch. With that version, "sesearch --allow -s svirt_t -t virt_log_t" gives: Found 3 semantic av rules: allow virt_domain virt_log_t : file { ioctl getattr lock append open } ; allow virt_domain virt_log_t : dir { getattr search open } ; allow virt_domain file_type : dir { getattr search open } ; while running the same command on Raw Hide produces: Found 3 semantic av rules: allow virt_domain virt_log_t : file { ioctl lock open } ; allow virt_domain virt_log_t : dir { getattr search open } ; allow virt_domain file_type : dir { getattr search open } ;
Strange: $ echo "avc: denied { append } for pid=22444 comm="qemu-kvm" path="/var/log/libvirt/qemu/cats.log" dev=dm-6 ino=3164867 scontext=system_u:system_r:svirt_t:s0:c169,c553 tcontext=system_u:object_r:virt_log_t:s0 tclass=file" | audit2why avc: denied { append } for pid=22444 comm=qemu-kvm path=/var/log/libvirt/qemu/cats.log dev=dm-6 ino=3164867 scontext=system_u:system_r:svirt_t:s0:c169,c553 tcontext=system_u:object_r:virt_log_t:s0 tclass=file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. $ rpm -qa | grep selinux-policy selinux-policy-3.9.16-28.fc16.noarch selinux-policy-targeted-3.9.16-28.fc16.noarch Seems to be allowed here... $ sesearch --allow -s svirt_t -t virt_log_t Found 3 semantic av rules: allow virt_domain file_type : dir { getattr search open } ; allow virt_domain virt_log_t : file { ioctl getattr lock append open } ; allow virt_domain virt_log_t : dir { getattr search open } ;
But might be still in the pipe line, as i am building my own rpms from git.
That's weird. I ran the same command on two different hosts that had been updated from F15 to Raw Hide, both in the last day or so. The one that's still using the F15 kernel also gets a "WARNING: Policy would be downgraded from version 26 to 24.", but the other is also running the Raw Hide kernel and not getting any warnings.
oh right, check /etc/selinux/targeted/policy and see if theres two different policy databases there. Might be that. if there are two remove the old one.
Oh and f15 kernel will not work with rawhide wrt to selinux i believe. Because selinux relies on some functionality only in f16 kernels i suspect.
kernel kernel-2.6.39-1.fc16.x86_64 seems pretty stable here. (The 3.0's oops a lot here)
The system where I was getting the warning (the one with the F15 kernel) did indeed have two. The other, the one running 3.0-0.rc2.git0.2.fc16.x86_64, had just the one. Removing the duplicate policy on the first machine didn't appear to change anything, though.
i suspect you need an f16 kernel as well. There is some feature in there that selinux relies on
Right, but the one that's running the f16 kernel also exhibits the problem. There's a still-newer kernel in Raw Hide today, so... maybe.
Naw it should probably work > kernel 2.6.39-1.fc16 and even earlier it may just be that the policy has not been packages yet? Run semodule -B to rebuild the policy db see if that makes any difference.
I'd already tried that, just in case, but it didn't help on either system. Both selinux-policy and selinux-policy-targed pass rpm -V on both systems, too.
ok assuming all your packages are up-to-date, i guess the rule you are looking for may not have been packaged yet. I am building my own rpms straight from the rawhide git repository so my policy may have rules that aren't packaged yet. Any other clues would have to come from dwalsh or mgrepl.
Nalin do you have anything in /etc/selinux/semanage.conf about 24?
Nope - grep only turns up commented lines, and the libsemanage package (2.0.46-6.fc16) on the box with the f15 kernel verifies, so it hasn't been changed from the default.
This is happening because you are running a policy.24 kernel.
(In reply to comment #15) > This is happening because you are running a policy.24 kernel. That might account for one of them, but what about the other one?
Nalin is this still active?
I am not seeing these denials now. Running sesearch with kernel-2.6.40.4-5.fc15.x86_64 and selinux-policy-3.10.0-56.fc16 produces: Found 3 semantic av rules: allow virt_domain file_type : dir { getattr search open } ; allow virt_domain virt_log_t : file { ioctl getattr lock append open } ; allow virt_domain virt_log_t : dir { getattr search open } ; So I guess this can be closed now. Thanks!