982154 – Can't find the "avc" event with the auvirt command

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 982154 - Can't find the "avc" event with the auvirt command

Summary: Can't find the "avc" event with the auvirt command

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1476406
TreeView+	depends on / blocked

Reported:	2013-07-08 09:26 UTC by zhenfeng wang
Modified:	2018-04-10 12:20 UTC (History)
CC List:	8 users (show)
Fixed In Version:	audit-2.8-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:18:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
the audit.log (10.09 KB, text/plain) 2013-07-17 08:03 UTC, zhenfeng wang	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0760	0	None	None	None	2018-04-10 12:20:10 UTC

Description zhenfeng wang 2013-07-08 09:26:31 UTC

Description of problem:
Can't find the "avc" event with the auvirt command

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.1-2.el7.x86_64
libvirt-1.1.0-1.el7.x86_64
selinux-policy-3.12.1-56.el7.noarch
kernel-3.10.0-0.rc7.64.el7.x86_64
audit-2.3.1-3.el7.x86_64
How reproducible:
100%

Steps
Senario 1
1.# getenforce
Enforcing
# systemctl status auditd
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since Mon 2013-06-24 10:59:22 CST; 6h ago
 Main PID: 467 (auditd)

2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--
3.start the guest
]# virsh start rhel7qcow2
error: Failed to start domain rhel7qcow2
error: internal error process exited while connecting to monitor: char device redirected to /dev/pts/1 (label charserial0)
qemu-kvm: -drive file=/var/lib/libvirt/images/rhel7qcow2.img,if=none,id=drive-virtio-disk0,format=qcow2,cache=none: could not open disk image /var/lib/libvirt/images/rhel7qcow2.img: Permission denied

4.check the avc info in the audit.log
#ausearch -m avc
time->Mon Jun 24 17:09:17 2013
type=SYSCALL msg=audit(1372064957.566:958): arch=c000003e syscall=2 success=no exit=-13 a0=7fc6db3da390 a1=80800 a2=0 a3=fffffffc items=0 ppid=1 pid=3943 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1372064957.566:958): avc:  denied  { read } for  pid=3943 comm="qemu-kvm" name="rhel7qcow2.img" dev="sda1" ino=1841127 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
----
time->Mon Jun 24 17:09:17 2013
type=SYSCALL msg=audit(1372064957.566:959): arch=c000003e syscall=2 success=no exit=-13 a0=7fc6db3da390 a1=80800 a2=0 a3=fffffffc items=0 ppid=1 pid=3943 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1372064957.566:959): avc:  denied  { read } for  pid=3943 comm="qemu-kvm" name="rhel7qcow2.img" dev="sda1" ino=1841127 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
----
time->Mon Jun 24 17:09:17 2013
type=SYSCALL msg=audit(1372064957.566:960): arch=c000003e syscall=2 success=no exit=-13 a0=7fc6db3da360 a1=84002 a2=0 a3=0 items=0 ppid=1 pid=3943 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1372064957.566:960): avc:  denied  { read write } for  pid=3943 comm="qemu-kvm" name="rhel7qcow2.img" dev="sda1" ino=1841127 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:virt_image_t:s0 tclass=file

5.Check the avc info with the auvirt command,didn't see anything about the avc event
# auvirt --all-events|grep avc

Senario2
1.# getenforce
Enforcing
# getsebool virt_use_nfs
virt_use_nfs --> off

2.prepare a guest which the image file is on the NFS server,and mount the nfs server on

3.start the guest
# virsh start rhel72
error: Failed to start domain rhel72
error: internal error process exited while connecting to monitor: char device redirected to /dev/pts/1 (label charserial0)
qemu-kvm: -drive file=/mnt/zhwang/rhel7raw.img,if=none,id=drive-ide0-0-0,format=raw: could not open disk image /mnt/zhwang/rhel7raw.img: Permission denied

4.check the avc info in the audit.log
#ausearch -m avc
time->Mon Jul  8 16:02:23 2013
type=SYSCALL msg=audit(1373270543.370:1280): arch=c000003e syscall=2 success=no exit=-13 a0=7f5f9d4b4100 a1=80800 a2=0 a3=77687a2f746e6d2f items=0 ppid=1 pid=10984 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c137,c418 key=(null)
type=AVC msg=audit(1373270543.370:1280): avc:  denied  { open } for  pid=10984 comm="qemu-kvm" path="/mnt/zhwang/rhel7raw.img" dev="0:32" ino=4000122 scontext=system_u:system_r:svirt_t:s0:c137,c418 tcontext=system_u:object_r:nfs_t:s0 tclass=file
----
time->Mon Jul  8 16:02:23 2013
type=SYSCALL msg=audit(1373270543.374:1281): arch=c000003e syscall=2 success=no exit=-13 a0=7f5f9d4b4100 a1=80800 a2=0 a3=77687a2f746e6d2f items=0 ppid=1 pid=10984 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c137,c418 key=(null)
type=AVC msg=audit(1373270543.374:1281): avc:  denied  { open } for  pid=10984 comm="qemu-kvm" path="/mnt/zhwang/rhel7raw.img" dev="0:32" ino=4000122 scontext=system_u:system_r:svirt_t:s0:c137,c418 tcontext=system_u:object_r:nfs_t:s0 tclass=file
----
time->Mon Jul  8 16:02:23 2013
type=SYSCALL msg=audit(1373270543.375:1282): arch=c000003e syscall=2 success=no exit=-13 a0=7f5f9d4b4010 a1=80002 a2=0 a3=77687a2f746e6d2f items=0 ppid=1 pid=10984 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c137,c418 key=(null)
type=AVC msg=audit(1373270543.375:1282): avc:  denied  { open } for  pid=10984 comm="qemu-kvm" path="/mnt/zhwang/rhel7raw.img" dev="0:32" ino=4000122 scontext=system_u:system_r:svirt_t:s0:c137,c418 tcontext=system_u:object_r:nfs_t:s0 tclass=file

5.Check the avc info with the auvirt command,didn't see anything about the avc event
# auvirt --all-events|grep avc


Actual results:
Can't find the "avc" event with auvirt command

Expected results:
should find the "avc" event successfully with the auvirt command

Comment 2 Milos Malik 2013-07-08 13:26:07 UTC

I believe that the bug should be reported against audit component, because auvirt does not belong to selinux-policy component.

Comment 3 Steve Grubb 2013-07-15 14:36:07 UTC

Any chance you can attach the logs? Stop the audit daemon, delete the logs in /var/log/audit/, start auditd, start the VM, when you see the avc has occurred stop the audit daemon, then attach audit.log to this bz. Thanks.

Comment 4 zhenfeng wang 2013-07-17 08:03:26 UTC

Created attachment 774658 [details]
the audit.log

Comment 5 RHEL Program Management 2014-03-22 06:44:51 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 7 zhenfeng wang 2015-08-03 02:34:40 UTC

Hi 
While we start a guest with iothread configured, could get the event with ausearch command , however couldn't get it with auvirt command, so doubt that should we include the this event in the auvirt command? if not, can you show me which type of events should we track, then we can update our testcases correctly, thanks

1.Start a guest with iothread configured
#virsh dumpxml rhel7.0
--
  <iothreads>4</iothreads>
  <iothreadids>
    <iothread id='1'/>
    <iothread id='2'/>
    <iothread id='3'/>
    <iothread id='4'/>
  </iothreadids>

2.check the audit log with ausearch command, could get the audit log about iothreads

# ausearch -ts today -m VIRT_RESOURCE | grep 'iothread'
type=VIRT_RESOURCE msg=audit(1436256617.284:46835): pid=5033 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=iothread reason=start vm="rhel7.0" uuid=322b9657-5616-4b5a-bfc8-a05475c2873e old-iothread=0 new-iothread=4 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'


3.Check the audit log with the auvirt command, couldn't see the iothreads in the output
# auvirt --all-events
--
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	deny      	all		
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	allow     	path	rw	/mnt/zhwang/img/vm3.qcow2
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	allow     	major	rw	pty
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	disk        	start     	/mnt/zhwang/img/vm3.qcow2
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	net         	start     	"52:54:00:6e:35:dc"
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	mem         	start     	1048576
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	vcpu        	start     	2
start rhel7.0                  	root       	Tue Jul  7 16:27

Comment 8 Steve Grubb 2015-08-03 15:34:19 UTC

The auvirt command is supposed to gather all events related to vms. This includes AVC's because of the svirt framework.

Comment 10 Steve Grubb 2017-09-23 18:39:02 UTC

Fixed in upstream commit ab077c4. Will be in audit-2.8. The attached log can be used for a test case.

Comment 11 Steve Grubb 2017-10-10 19:58:11 UTC

audit-2.8-1.el7 was built to resolve this issue.

Comment 13 Ondrej Moriš 2017-11-30 13:46:01 UTC

Successfully reproduced and verified using attached audit log file on all supported architectures (x86_64, ppc64, ppc64le and s390x for RHEL and aarch64 and ppc64le for RHEL-ALT).

OLD (audit-2.7.6-3.el7)
=======================
# auvirt --file audit.log --summary
Range of time for report:       Wed Jul 17 10:00 - Wed Jul 17 10:00
Number of guest starts:         0
Number of guest stops:          0
Number of resource assignments: 15
Number of related AVCs:         0
Number of related anomalies:    0
Number of host shutdowns:       0
Number of failed operations:    1

NEW (audit-2.8.1-2.el7)
=======================
# auvirt --file audit.log --summary
Range of time for report:       Wed Jul 17 10:00 - Wed Jul 17 10:00
Number of guest starts:         0
Number of guest stops:          0
Number of resource assignments: 15
Number of related AVCs:         3
Number of related anomalies:    0
Number of failed operations:    1

Comment 16 errata-xmlrpc 2018-04-10 12:18:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0760

Note You need to log in before you can comment on or make changes to this bug.