Description of problem: Cgroup assignment events with path are not escaped like in other places. For example, this one is bad: type=VIRT_RESOURCE msg=audit(1363276478.481:2935): pid=1993 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=cgroup reason=allow vm="rawhide-builder" uuid=f5eed9fe-5226-c751-3946-26c01619aa71 cgroup="/sys/fs/cgroup/devices/libvirt/qemu/rawhide-builder/" class=path path=/dev/hpet rdev=0A:E4 acl=rw exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' As compared to this good event: type=VIRT_RESOURCE msg=audit(1363276478.580:2938): pid=1993 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net reason=open vm="rawhide-builder" uuid=f5eed9fe-5226-c751-3946-26c01619aa71 net=52:54:00:5D:63:CE path="/dev/vhost-net" rdev=0A:EE exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Version-Release number of selected component (if applicable): libvirt-0.10.2.3-1.fc18.x86_64 How reproducible: ausearch --start this week Steps to Reproduce: 1. Run a vm 2. ausearch --start recent -m VIRT_RESOURCE -i | grep cgroup | grep '^/dev' Actual results: Nothing Expected results: Events
(In reply to comment #0) > Steps to Reproduce: > 1. Run a vm > 2. ausearch --start recent -m VIRT_RESOURCE -i | grep cgroup | grep '^/dev' Rather, ausearch --start recent -m VIRT_RESOURCE -i | grep cgroup | grep 'path=/dev' Fix proposed here: https://www.redhat.com/archives/libvir-list/2013-April/msg01508.html
Backported to v0.10.2-maint; next build will pick this up: commit 31c6bf35b9d9de04158318658f4fbf6a9e54ff28 Author: Eric Blake <eblake> Date: Fri Apr 19 11:30:44 2013 -0600 audit: properly encode device path in cgroup audit https://bugzilla.redhat.com/show_bug.cgi?id=922186 Commit d04916fa introduced a regression in audit quality - even though the code was computing the proper escaped name for a path, it wasn't feeding that escaped name on to the audit message. As a result, /var/log/audit/audit.log would mention a pair of fields class=path path=/dev/hpet instead of the intended class=path path="/dev/hpet", which in turn caused ausearch to format the audit log with path=(null). * src/conf/domain_audit.c (virDomainAuditCgroupPath): Use constructed encoding. Signed-off-by: Eric Blake <eblake>
libvirt-0.10.2.5-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/libvirt-0.10.2.5-1.fc18
Package libvirt-0.10.2.5-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libvirt-0.10.2.5-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-8681/libvirt-0.10.2.5-1.fc18 then log in and leave karma (feedback).
libvirt-0.10.2.5-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.