Bug 741531 - SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the dossier /home/misc/.libvirt/qemu/lib.
Summary: SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the dossier ...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 15
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:29f9b79ca24...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-27 08:06 UTC by Michael S.
Modified: 2012-06-07 00:35 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-07 00:35:18 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Qemu avc log (1.60 KB, text/plain)
2011-10-01 17:29 UTC, Michael S. 		no flags Details
View All

Description Michael S. 2011-09-27 08:06:27 UTC 
SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the dossier /home/misc/.libvirt/qemu/lib.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/home/misc/.libvirt/qemu/lib default label should be virt_home_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home/misc/.libvirt/qemu/lib

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that qemu-kvm should be allowed write access on the lib directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c370,c638
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/misc/.libvirt/qemu/lib [ dir ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           qemu-system-x86-0.14.0-7.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    mar. 27 sept. 2011 10:04:46 CEST
Last Seen                     mar. 27 sept. 2011 10:04:46 CEST
Local ID                      d901bdb1-4d27-4507-8021-97f20a53c4e2

Raw Audit Messages
type=AVC msg=audit(1317110686.336:134): avc:  denied  { write } for  pid=11767 comm="qemu-kvm" name="lib" dev=dm-3 ino=3801899 scontext=system_u:system_r:svirt_t:s0:c370,c638 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1317110686.336:134): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7fff3524b300 a2=6e a3=6273632f62696c2f items=0 ppid=1 pid=11767 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c370,c638 key=(null)

Hash: qemu-kvm,svirt_t,user_home_t,dir,write

audit2allow

#============= svirt_t ==============
#!!!! The source type 'svirt_t' can write to a 'dir' of the following types:
# qemu_var_run_t, var_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, virt_cache_t, var_run_t, svirt_image_t, svirt_tmpfs_t, dosfs_t

allow svirt_t user_home_t:dir write;

audit2allow -R

#============= svirt_t ==============
#!!!! The source type 'svirt_t' can write to a 'dir' of the following types:
# qemu_var_run_t, var_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, virt_cache_t, var_run_t, svirt_image_t, svirt_tmpfs_t, dosfs_t

allow svirt_t user_home_t:dir write;
Comment 1 Michael S. 2011-09-27 08:10:33 UTC 
to trigger the error, just run as a user :

$ virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks

the iso should not matter much.

Sealert tell me to restore context, which I do, but the error is still here. And the installation do not work.

~ $ ls -lZ ~/.libvirt/qemu/   
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 cache
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 dump
drwxrwxr-x. misc misc unconfined_u:object_r:virt_home_t:s0 lib
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 log
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 run
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 save
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 snapshot
Comment 2 Dominick Grift 2011-09-27 08:28:09 UTC 
Seems kvm-qemu wants to create or delete some object in ~/.libvirt/qemu/lib but SELinux policy currently does not support that.

Could you test and reproduce this in permissive mode and enclose all the AVC denials from /var/log/audit/audit.log that occurred since the test?

This will give us an idea as to what kind of objects it is trying to create or delete, plus we will be able to determine what else it needs for this to work (and if it works at all)

But first restore the context of the whole ~/.libvirt directory ( restorecon -R -v ~/.libvirt )
Comment 3 Miroslav Grepl 2011-09-27 13:06:22 UTC 
AFAIK, we had the same issue on RHEL6. Looking for a bug.
Comment 4 Michael S. 2011-10-01 17:29:41 UTC 
Created attachment 525878 [details]
Qemu avc log

Here is the log.
Comment 5 Miroslav Grepl 2011-10-03 08:02:52 UTC 
Actually we know where the problem is. We have a fix in RHEL6 but we need to investigate it in Fedora.

The problem is libvirt is running as unconfined_t in this case which is expected.

Michael, 
if you run

# runcon -r system_r -t initrc_t -- runcon -t virtd_t -- virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks

this should work.
Comment 6 Miroslav Grepl 2011-10-03 08:04:05 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=676372
Comment 7 Fedora Admin XMLRPC Client 2011-11-30 20:04:49 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2011-11-30 20:05:06 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora Admin XMLRPC Client 2011-11-30 20:08:54 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Fedora Admin XMLRPC Client 2011-11-30 20:09:07 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Cole Robinson 2012-06-07 00:35:18 UTC 
F15 is end of life real soon, so closing as WONTFIX. If anyone can still reproduce with a Fedora 16 or Fedora 17, please reopen.
Note You need to log in before you can comment on or make changes to this bug.