Hide Forgot
abrt version: 2.0.5 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 2.6.32-171.el6.x86_64 reason: SELinux is preventing /usr/libexec/qemu-kvm from 'getattr' accesses on the filesystem /home. time: Thu Jul 28 11:01:51 2011 description: :SELinux is preventing /usr/libexec/qemu-kvm from 'getattr' accesses on the filesystem /home. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that qemu-kvm should be allowed getattr access on the home filesystem by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:svirt_t:s0:c911,c936 :Target Context system_u:object_r:fs_t:s0 :Target Objects /home [ filesystem ] :Source qemu-kvm :Source Path /usr/libexec/qemu-kvm :Port <Unknown> :Host (removed) :Source RPM Packages qemu-kvm-0.12.1.2-2.172.el6 :Target RPM Packages filesystem-2.4.30-3.el6 :Policy RPM selinux-policy-3.7.19-105.el6 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 2.6.32-171.el6.x86_64 #1 SMP Thu Jul 21 23:23:33 : EDT 2011 x86_64 x86_64 :Alert Count 1 :First Seen Thu 28 Jul 2011 11:01:29 AM CEST :Last Seen Thu 28 Jul 2011 11:01:29 AM CEST :Local ID 5dbe476f-868b-4d89-8635-da981c9a5afb : :Raw Audit Messages :type=AVC msg=audit(1311843689.711:37568): avc: denied { getattr } for pid=23640 comm="qemu-kvm" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:svirt_t:s0:c911,c936 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem : : :type=SYSCALL msg=audit(1311843689.711:37568): arch=x86_64 syscall=fstatfs success=no exit=EACCES a0=9 a1=7fff29489140 a2=3 a3=48 items=0 ppid=1 pid=23640 auid=500 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=1 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c911,c936 key=(null) : :Hash: qemu-kvm,svirt_t,fs_t,filesystem,getattr : :audit2allow : :#============= svirt_t ============== :allow svirt_t fs_t:filesystem getattr; : :audit2allow -R : :#============= svirt_t ============== :allow svirt_t fs_t:filesystem getattr; :
what were you doing when this happened?
Installed today's bunch of updates, especially spice-glib-0.6-2.el6.x86_64 spice-gtk-0.6-2.el6.x86_64 spice-gtk-python-0.6-2.el6.x86_64 libvirt-0.9.4-0rc1.el6.x86_64 libvirt-client-0.9.4-0rc1.el6.x86_64 libvirt-python-0.9.4-0rc1.el6.x86_64 selinux-policy-targeted-3.7.19-105.el6.noarch selinux-policy-3.7.19-105.el6.noarch I can see those AVCs when VM operates. (Not rebooted yet.)
Does VM work fine or do you see some issues with your VM? I will allow it.
Looks OK to me, tested on several VMs.
I guess we can allow it, not sure if it would eventually cause a problem if we denied it, and don't see where this is a security threat.
Fixed in selinux-policy-3.7.19-106.el6
I am frequently getting getattr on / errors. Is it possible because I am having my ISOs in /srv? Shall I relabel my system??? Summary: SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on /. Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c490,c569 Target Context system_u:object_r:fs_t:s0 Target Objects / [ filesystem ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host XXX Source RPM Packages qemu-kvm-0.12.1.2-2.160.el6_1.6 Target RPM Packages filesystem-2.4.30-2.1.el6 Policy RPM selinux-policy-3.7.19-93.el6_1.2 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name XXX Platform Linux XXX 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 Alert Count 1 First Seen Wed Aug 3 16:26:51 2011 Last Seen Wed Aug 3 16:26:51 2011 Local ID 0ab32214-510b-4aab-95e4-bd3f3c8faf87 Line Numbers Raw Audit Messages node=XXX type=AVC msg=audit(1312381611.258:1330): avc: denied { getattr } for pid=12226 comm="qemu-kvm" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:svirt_t:s0:c490,c569 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem node=XXX type=SYSCALL msg=audit(1312381611.258:1330): arch=c000003e syscall=138 success=no exit=-13 a0=e a1=7fff87096e50 a2=3 a3=48 items=0 ppid=1 pid=12226 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c490,c569 key=(null) --- Summary: SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on /. Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c878,c956 Target Context system_u:object_r:fs_t:s0 Target Objects / [ filesystem ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host XXX Source RPM Packages qemu-kvm-0.12.1.2-2.160.el6_1.6 Target RPM Packages filesystem-2.4.30-2.1.el6 Policy RPM selinux-policy-3.7.19-93.el6_1.2 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name XXX Platform Linux XXX 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 Alert Count 1 First Seen Wed Aug 3 16:26:04 2011 Last Seen Wed Aug 3 16:26:04 2011 Local ID 6bacc6df-03dc-466a-bf35-3bed9314e8bb Line Numbers Raw Audit Messages node=XXX type=AVC msg=audit(1312381564.472:1302): avc: denied { getattr } for pid=12115 comm="qemu-kvm" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:svirt_t:s0:c878,c956 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem node=XXX type=SYSCALL msg=audit(1312381564.472:1302): arch=c000003e syscall=138 success=no exit=-13 a0=e a1=7fff22296410 a2=3 a3=48 items=0 ppid=1 pid=12115 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c878,c956 key=(null)
No we are going to add this access. You can add this rule for now. # grep filesystem /var/log/audit/audit.log | audit2allow -M mysvirt # semodule -i mysvirt.pp
Many thanks!
FYI - I see this denial on a LV mounted on /VMtest: # ls -dZ /VMtest drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /VMtest # ps -eZ | grep qemu-kvm system_u:system_r:svirt_t:s0:c381,c972 27931 ? 00:00:06 qemu-kvm -------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on /VMtest. Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c173,c266 Target Context system_u:object_r:fs_t:s0 Target Objects /VMtest [ filesystem ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host <Unknown> Source RPM Packages qemu-kvm-0.12.1.2-2.160.el6_1.6 Target RPM Packages Policy RPM selinux-policy-3.7.19-93.el6_1.2 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name rproffit.csb Platform Linux rproffit.csb 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 Alert Count 1 First Seen Fri Aug 12 18:32:54 2011 Last Seen Fri Aug 12 18:32:54 2011 Local ID fd94731f-887b-44b1-b25b-4c2f597d156b Line Numbers 4703, 4704 Raw Audit Messages type=AVC msg=audit(1313195574.718:334): avc: denied { getattr } for pid=22108 comm="qemu-kvm" name="/" dev=dm-6 ino=2 scontext=system_u:system_r:svirt_t:s0:c173,c266 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1313195574.718:334): arch=c000003e syscall=138 success=no exit=-13 a0=9 a1=7fff48c36bb0 a2=3 a3=48 items=0 ppid=1 pid=22108 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c173,c266 key=(null)
Rober, this is fixed in the latest RHEL6.2 policy.
*** Bug 731044 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html