Bug 996499 - SELinux is preventing /usr/lib64/valgrind/memcheck-amd64-linux from using the transition access on a process
SELinux is preventing /usr/lib64/valgrind/memcheck-amd64-linux from using the...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
Unspecified Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-13 06:04 EDT by Xuesong Zhang
Modified: 2014-09-30 19:35 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-214.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:48:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xuesong Zhang 2013-08-13 06:04:37 EDT
Description of problem:
If start the libvirtd service with valgrind, the guest can't be started.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6.noarch
valgrind-3.8.1-3.2.el6.x86_64
libvirt-0.10.2-21.el6.x86_64
qemu-img-rhev-0.12.1.2-2.386.el6.x86_64
kernel-2.6.32-411.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. stop the libvirtd service
# service libvirtd stop
Stopping libvirtd daemon:                                  [  OK  ]

2. turn on the related Boolean value
# getsebool -a|grep virt
virt_use_comm --> on
virt_use_execmem --> on
virt_use_fusefs --> off
virt_use_nfs --> on
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_sysfs --> on
virt_use_usb --> on
virt_use_xserver --> off

3. start the libvirtd with valgrind tool
#valgrind -v --leak-check=full libvirtd 

4. start the guest
# virsh start r6
error: Failed to start domain r6
error: internal error Process exited while reading console log output: 

5. Then the following message is generated by valgrind.
==29447== execve(0x16abdc20(/usr/libexec/qemu-kvm), 0x1740daf0, 0x16abdc80) failed, errno 13
==29447== EXEC FAILED: I can't recover from execve() failing, so I'm dying.
==29447== Add more stringent tests in PRE(sys_execve), or work out how to recover.
--29324-- memcheck GC: 1000 nodes, 433 survivors ( 43.3%)
--29324-- memcheck GC: 1014 new table size (driftup)
--29324-- memcheck GC: 1014 nodes, 499 survivors ( 49.2%)
--29324-- memcheck GC: 1029 new table size (driftup)
--29324-- memcheck GC: 1029 nodes, 635 survivors ( 61.7%)
--29324-- memcheck GC: 1455 new table size (stepup)
--29324-- memcheck GC: 1455 nodes, 894 survivors ( 61.4%)
--29324-- memcheck GC: 2057 new table size (stepup)
--29324-- memcheck GC: 2057 nodes, 1166 survivors ( 56.6%)
--29324-- memcheck GC: 2909 new table size (stepup)
--29324-- memcheck GC: 2909 nodes, 1667 survivors ( 57.3%)
--29324-- memcheck GC: 4113 new table size (stepup)
--29324-- memcheck GC: 4113 nodes, 2262 survivors ( 54.9%)
--29324-- memcheck GC: 5816 new table size (stepup)
--29324-- memcheck GC: 5816 nodes, 3234 survivors ( 55.6%)
--29324-- memcheck GC: 8225 new table size (stepup)
--29324-- memcheck GC: 8225 nodes, 4555 survivors ( 55.3%)
--29324-- memcheck GC: 11631 new table size (stepup)
--29324-- memcheck GC: 11631 nodes, 6650 survivors ( 57.1%)
--29324-- memcheck GC: 16448 new table size (stepup)

6. check the avc in audit.log
# grep avc /var/log/audit/audit.log
type=AVC msg=audit(1376386424.870:319): avc:  denied  { transition } for  pid=29447 comm="memcheck-amd64-" path="/usr/libexec/qemu-kvm" dev=sda2 ino=4851503 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c2,c206 tclass=process



Actual results:
as steps

Expected results:
the guest can be started while the libvirtd is started with valgrind

Additional info:
Comment 2 Daniel Walsh 2013-08-13 18:22:47 EDT
Miroslav we should just allow this.
Comment 5 errata-xmlrpc 2013-11-21 05:48:42 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.