Bug 982154 - Can't find the "avc" event with the auvirt command
Can't find the "avc" event with the auvirt command
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Steve Grubb
BaseOS QE Security Team
:
Depends On:
Blocks: 1476406
  Show dependency treegraph
 
Reported: 2013-07-08 05:26 EDT by zhenfeng wang
Modified: 2017-10-10 16:06 EDT (History)
8 users (show)

See Also:
Fixed In Version: audit-2.8-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
the audit.log (10.09 KB, text/plain)
2013-07-17 04:03 EDT, zhenfeng wang
no flags Details

  None (edit)
Description zhenfeng wang 2013-07-08 05:26:31 EDT
Description of problem:
Can't find the "avc" event with the auvirt command

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.1-2.el7.x86_64
libvirt-1.1.0-1.el7.x86_64
selinux-policy-3.12.1-56.el7.noarch
kernel-3.10.0-0.rc7.64.el7.x86_64
audit-2.3.1-3.el7.x86_64
How reproducible:
100%

Steps
Senario 1
1.# getenforce
Enforcing
# systemctl status auditd
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since Mon 2013-06-24 10:59:22 CST; 6h ago
 Main PID: 467 (auditd)

2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--
3.start the guest
]# virsh start rhel7qcow2
error: Failed to start domain rhel7qcow2
error: internal error process exited while connecting to monitor: char device redirected to /dev/pts/1 (label charserial0)
qemu-kvm: -drive file=/var/lib/libvirt/images/rhel7qcow2.img,if=none,id=drive-virtio-disk0,format=qcow2,cache=none: could not open disk image /var/lib/libvirt/images/rhel7qcow2.img: Permission denied

4.check the avc info in the audit.log
#ausearch -m avc
time->Mon Jun 24 17:09:17 2013
type=SYSCALL msg=audit(1372064957.566:958): arch=c000003e syscall=2 success=no exit=-13 a0=7fc6db3da390 a1=80800 a2=0 a3=fffffffc items=0 ppid=1 pid=3943 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1372064957.566:958): avc:  denied  { read } for  pid=3943 comm="qemu-kvm" name="rhel7qcow2.img" dev="sda1" ino=1841127 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
----
time->Mon Jun 24 17:09:17 2013
type=SYSCALL msg=audit(1372064957.566:959): arch=c000003e syscall=2 success=no exit=-13 a0=7fc6db3da390 a1=80800 a2=0 a3=fffffffc items=0 ppid=1 pid=3943 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1372064957.566:959): avc:  denied  { read } for  pid=3943 comm="qemu-kvm" name="rhel7qcow2.img" dev="sda1" ino=1841127 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
----
time->Mon Jun 24 17:09:17 2013
type=SYSCALL msg=audit(1372064957.566:960): arch=c000003e syscall=2 success=no exit=-13 a0=7fc6db3da360 a1=84002 a2=0 a3=0 items=0 ppid=1 pid=3943 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1372064957.566:960): avc:  denied  { read write } for  pid=3943 comm="qemu-kvm" name="rhel7qcow2.img" dev="sda1" ino=1841127 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:virt_image_t:s0 tclass=file

5.Check the avc info with the auvirt command,didn't see anything about the avc event
# auvirt --all-events|grep avc

Senario2
1.# getenforce
Enforcing
# getsebool virt_use_nfs
virt_use_nfs --> off

2.prepare a guest which the image file is on the NFS server,and mount the nfs server on

3.start the guest
# virsh start rhel72
error: Failed to start domain rhel72
error: internal error process exited while connecting to monitor: char device redirected to /dev/pts/1 (label charserial0)
qemu-kvm: -drive file=/mnt/zhwang/rhel7raw.img,if=none,id=drive-ide0-0-0,format=raw: could not open disk image /mnt/zhwang/rhel7raw.img: Permission denied

4.check the avc info in the audit.log
#ausearch -m avc
time->Mon Jul  8 16:02:23 2013
type=SYSCALL msg=audit(1373270543.370:1280): arch=c000003e syscall=2 success=no exit=-13 a0=7f5f9d4b4100 a1=80800 a2=0 a3=77687a2f746e6d2f items=0 ppid=1 pid=10984 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c137,c418 key=(null)
type=AVC msg=audit(1373270543.370:1280): avc:  denied  { open } for  pid=10984 comm="qemu-kvm" path="/mnt/zhwang/rhel7raw.img" dev="0:32" ino=4000122 scontext=system_u:system_r:svirt_t:s0:c137,c418 tcontext=system_u:object_r:nfs_t:s0 tclass=file
----
time->Mon Jul  8 16:02:23 2013
type=SYSCALL msg=audit(1373270543.374:1281): arch=c000003e syscall=2 success=no exit=-13 a0=7f5f9d4b4100 a1=80800 a2=0 a3=77687a2f746e6d2f items=0 ppid=1 pid=10984 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c137,c418 key=(null)
type=AVC msg=audit(1373270543.374:1281): avc:  denied  { open } for  pid=10984 comm="qemu-kvm" path="/mnt/zhwang/rhel7raw.img" dev="0:32" ino=4000122 scontext=system_u:system_r:svirt_t:s0:c137,c418 tcontext=system_u:object_r:nfs_t:s0 tclass=file
----
time->Mon Jul  8 16:02:23 2013
type=SYSCALL msg=audit(1373270543.375:1282): arch=c000003e syscall=2 success=no exit=-13 a0=7f5f9d4b4010 a1=80002 a2=0 a3=77687a2f746e6d2f items=0 ppid=1 pid=10984 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c137,c418 key=(null)
type=AVC msg=audit(1373270543.375:1282): avc:  denied  { open } for  pid=10984 comm="qemu-kvm" path="/mnt/zhwang/rhel7raw.img" dev="0:32" ino=4000122 scontext=system_u:system_r:svirt_t:s0:c137,c418 tcontext=system_u:object_r:nfs_t:s0 tclass=file

5.Check the avc info with the auvirt command,didn't see anything about the avc event
# auvirt --all-events|grep avc


Actual results:
Can't find the "avc" event with auvirt command

Expected results:
should find the "avc" event successfully with the auvirt command
Comment 2 Milos Malik 2013-07-08 09:26:07 EDT
I believe that the bug should be reported against audit component, because auvirt does not belong to selinux-policy component.
Comment 3 Steve Grubb 2013-07-15 10:36:07 EDT
Any chance you can attach the logs? Stop the audit daemon, delete the logs in /var/log/audit/, start auditd, start the VM, when you see the avc has occurred stop the audit daemon, then attach audit.log to this bz. Thanks.
Comment 4 zhenfeng wang 2013-07-17 04:03:26 EDT
Created attachment 774658 [details]
the audit.log
Comment 5 RHEL Product and Program Management 2014-03-22 02:44:51 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 7 zhenfeng wang 2015-08-02 22:34:40 EDT
Hi 
While we start a guest with iothread configured, could get the event with ausearch command , however couldn't get it with auvirt command, so doubt that should we include the this event in the auvirt command? if not, can you show me which type of events should we track, then we can update our testcases correctly, thanks

1.Start a guest with iothread configured
#virsh dumpxml rhel7.0
--
  <iothreads>4</iothreads>
  <iothreadids>
    <iothread id='1'/>
    <iothread id='2'/>
    <iothread id='3'/>
    <iothread id='4'/>
  </iothreadids>

2.check the audit log with ausearch command, could get the audit log about iothreads

# ausearch -ts today -m VIRT_RESOURCE | grep 'iothread'
type=VIRT_RESOURCE msg=audit(1436256617.284:46835): pid=5033 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=iothread reason=start vm="rhel7.0" uuid=322b9657-5616-4b5a-bfc8-a05475c2873e old-iothread=0 new-iothread=4 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'


3.Check the audit log with the auvirt command, couldn't see the iothreads in the output
# auvirt --all-events
--
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	deny      	all		
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	allow     	path	rw	/mnt/zhwang/img/vm3.qcow2
res   rhel7.0                  	root       	Tue Jul  7 16:26                   	cgroup      	allow     	major	rw	pty
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	disk        	start     	/mnt/zhwang/img/vm3.qcow2
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	net         	start     	"52:54:00:6e:35:dc"
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	mem         	start     	1048576
res   rhel7.0                  	root       	Tue Jul  7 16:27                   	vcpu        	start     	2
start rhel7.0                  	root       	Tue Jul  7 16:27
Comment 8 Steve Grubb 2015-08-03 11:34:19 EDT
The auvirt command is supposed to gather all events related to vms. This includes AVC's because of the svirt framework.
Comment 10 Steve Grubb 2017-09-23 14:39:02 EDT
Fixed in upstream commit ab077c4. Will be in audit-2.8. The attached log can be used for a test case.
Comment 11 Steve Grubb 2017-10-10 15:58:11 EDT
audit-2.8-1.el7 was built to resolve this issue.

Note You need to log in before you can comment on or make changes to this bug.