FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-17-2011, 03:19 PM
Trey Dockendorf
 
Default Fwd: SELinux triggered during Libvirt snapshots

Forwarding back to list.
---------- Forwarded message ----------
From: "Trey Dockendorf" <treydock@gmail.com>
Date: Oct 17, 2011 10:06 AM
Subject: Re: [CentOS] SELinux triggered during Libvirt snapshots
To: "Daniel J Walsh" <dwalsh@redhat.com>



On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> > I recently began getting periodic emails from SEalert that SELinux
> > is preventing /usr/libexec/qemu-kvm "getattr" access from the
> > directory I store all my virtual machines for KVM.
> >
> > All VMs are stored under /vmstore , which is it's own mount point,
> > and every file and folder under /vmstore currently has the correct
> > context that was set by doing the following:
> >
> > semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" restorecon -R
> > /vmstore
> >
> > So far I've noticed then when taking snapshots and also when using
> > virsh to make changes to a domain's XML file. I haven't had any
> > problems for the 3 or 4 months I've run this KVM server using
> > SELinux on Enforcing, and so I'm not really sure what information
> > is helpful to debug this. The server is CentOS 6 x86_64 updated to
> > CR. This is the raw audit entry, (hostname removed)
> >
> > node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied
> > { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2
> > scontext=system_u:system_r:svirt_t:s0:c772,c779
> > tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> > node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
> > arch=c000003e syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> > a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> > uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107
> > fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm"
> > exe="/usr/libexec/qemu-kvm"
> > subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >
> > I've attached the alert email as a quote below, (hostname removed)
> >
> > Any help is greatly appreciated, I've had to deal little with
> > SELinux fortunately, but at the moment am not really sure if my
> > snapshots are actually functional or if this is just some false
> > positive.
> >
> > Thanks - Trey
> >
> > Summary
> >>
> >> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on
> >> /vmstore.
> >>
> >> Detailed Description
> >>
> >> SELinux denied access requested by qemu-kvm. It is not expected
> >> that this
> >>> access is required by qemu-kvm and this access may signal an
> >>> intrusion attempt. It is also possible that the specific
> >>> version or configuration of the application is causing it to
> >>> require additional access.
> >>
> >> Allowing Access
> >>
> >> You can generate a local policy module to allow this access - see
> >> FAQ
> >>> Please file a bug report.
> >>
> >> Additional Information
> >>
> >> Source Context: system_u:system_r:svirt_t:s0:c772,c779
> >>
> >> Target Context: system_ubject_r:fs_t:s0
> >>
> >> Target Objects: /vmstore [ filesystem ]
> >>
> >> Source: qemu-kvm
> >>
> >> Source Path: /usr/libexec/qemu-kvm
> >>
> >> Port: <Unknown>
> >>
> >> Host: kvmhost.tld
> >>
> >> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
> >>
> >> Target RPM Packages:
> >>
> >> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
> >>
> >> Selinux Enabled: True
> >>
> >> Policy Type: targeted
> >>
> >> Enforcing Mode: Enforcing
> >>
> >> Plugin Name: catchall
> >>
> >> Host Name: kvmhost.tld
> >>
> >> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1 SMP
> >> Mon Jun 27
> >>> 19:49:27 BST 2011 x86_64 x86_64
> >>
> >> Alert Count: 1
> >>
> >> First Seen: Fri Oct 14 18:20:50 2011
> >>
> >> Last Seen: Fri Oct 14 18:20:50 2011
> >>
> >> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
> >>
> >> Line Numbers:
> >>
> >> Raw Audit Messages :
> >>
> >>
> >>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
> >>> denied { getattr } for pid=1842 comm="qemu-kvm" name="/"
> >>> dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> >>
> >> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
> >> arch=c000003e
> >>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
> >>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107
> >>> gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107
> >>> tty=(none) ses=4294967295 comm="qemu-kvm"
> >>> exe="/usr/libexec/qemu-kvm"
> >>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>
> >>
> >>
> > _______________________________________________ CentOS mailing
> > list CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
>
>
> THis is a bug in policy. It can be allowed for now.
>
> We have 6.2 selinux-policy preview package available on
> http://people.redhat.com/dwalsh/SELinux/RHEL6
>
> I believe all that is happening is qemu-kvm is noticing you have a
> file system mounted, and doing a getattr on it.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6cI/8ACgkQrlYvE4MpobM6/QCg1qs8iK+dVRsPNVB+QXgr0zEN
> +EMAnAghOHYB4INQ/NH1D4i9k3uJD7Ob
> =TfIB
> -----END PGP SIGNATURE-----
>

Thanks for the help Dan. Is there something that could have triggered this
between 6.0 and 6.1? This server was updated to 6.0 CR around the same time
this began happening, so I want to make sure if it's an issue in CR that I
can file a useful bug report.

When updating selinux-policy, do I have to update all the RPMs listed or
will that one package suffice?

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-17-2011, 03:30 PM
Daniel J Walsh
 
Default Fwd: SELinux triggered during Libvirt snapshots

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> Forwarding back to list. ---------- Forwarded message ----------
> From: "Trey Dockendorf" <treydock@gmail.com> Date: Oct 17, 2011
> 10:06 AM Subject: Re: [CentOS] SELinux triggered during Libvirt
> snapshots To: "Daniel J Walsh" <dwalsh@redhat.com>
>
>
>
> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh <dwalsh@redhat.com>
> wrote:
>
> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
>>>> I recently began getting periodic emails from SEalert that
>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access
>>>> from the directory I store all my virtual machines for KVM.
>>>>
>>>> All VMs are stored under /vmstore , which is it's own mount
>>>> point, and every file and folder under /vmstore currently has
>>>> the correct context that was set by doing the following:
>>>>
>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
>>>> restorecon -R /vmstore
>>>>
>>>> So far I've noticed then when taking snapshots and also when
>>>> using virsh to make changes to a domain's XML file. I
>>>> haven't had any problems for the 3 or 4 months I've run this
>>>> KVM server using SELinux on Enforcing, and so I'm not really
>>>> sure what information is helpful to debug this. The server
>>>> is CentOS 6 x86_64 updated to CR. This is the raw audit
>>>> entry, (hostname removed)
>>>>
>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
>>>> denied { getattr } for pid=1842 comm="qemu-kvm" name="/"
>>>> dev=dm-2 ino=2
>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
>>>> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
>>>> arch=c000003e syscall=138 success=no exit=-13 a0=9
>>>> a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107
>>>> egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>
>>>> I've attached the alert email as a quote below, (hostname
>>>> removed)
>>>>
>>>> Any help is greatly appreciated, I've had to deal little
>>>> with SELinux fortunately, but at the moment am not really
>>>> sure if my snapshots are actually functional or if this is
>>>> just some false positive.
>>>>
>>>> Thanks - Trey
>>>>
>>>> Summary
>>>>>
>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>> access on /vmstore.
>>>>>
>>>>> Detailed Description
>>>>>
>>>>> SELinux denied access requested by qemu-kvm. It is not
>>>>> expected that this
>>>>>> access is required by qemu-kvm and this access may signal
>>>>>> an intrusion attempt. It is also possible that the
>>>>>> specific version or configuration of the application is
>>>>>> causing it to require additional access.
>>>>>
>>>>> Allowing Access
>>>>>
>>>>> You can generate a local policy module to allow this access
>>>>> - see FAQ
>>>>>> Please file a bug report.
>>>>>
>>>>> Additional Information
>>>>>
>>>>> Source Context: system_u:system_r:svirt_t:s0:c772,c779
>>>>>
>>>>> Target Context: system_ubject_r:fs_t:s0
>>>>>
>>>>> Target Objects: /vmstore [ filesystem ]
>>>>>
>>>>> Source: qemu-kvm
>>>>>
>>>>> Source Path: /usr/libexec/qemu-kvm
>>>>>
>>>>> Port: <Unknown>
>>>>>
>>>>> Host: kvmhost.tld
>>>>>
>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
>>>>>
>>>>> Target RPM Packages:
>>>>>
>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
>>>>>
>>>>> Selinux Enabled: True
>>>>>
>>>>> Policy Type: targeted
>>>>>
>>>>> Enforcing Mode: Enforcing
>>>>>
>>>>> Plugin Name: catchall
>>>>>
>>>>> Host Name: kvmhost.tld
>>>>>
>>>>> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1
>>>>> SMP Mon Jun 27
>>>>>> 19:49:27 BST 2011 x86_64 x86_64
>>>>>
>>>>> Alert Count: 1
>>>>>
>>>>> First Seen: Fri Oct 14 18:20:50 2011
>>>>>
>>>>> Last Seen: Fri Oct 14 18:20:50 2011
>>>>>
>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
>>>>>
>>>>> Line Numbers:
>>>>>
>>>>> Raw Audit Messages :
>>>>>
>>>>>
>>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
>>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
>>>>>> name="/" dev=dm-2 ino=2
>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
>>>>>
>>>>> node=kvmhost.tld type=SYSCALL
>>>>> msg=audit(1318634450.285:28): arch=c000003e
>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
>>>>>> ses=4294967295 comm="qemu-kvm"
>>>>>> exe="/usr/libexec/qemu-kvm"
>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________ CentOS
>>>> mailing list CentOS@centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>
>
> THis is a bug in policy. It can be allowed for now.
>
> We have 6.2 selinux-policy preview package available on
> http://people.redhat.com/dwalsh/SELinux/RHEL6
>
> I believe all that is happening is qemu-kvm is noticing you have a
> file system mounted, and doing a getattr on it.
>>
>
> Thanks for the help Dan. Is there something that could have
> triggered this between 6.0 and 6.1? This server was updated to 6.0
> CR around the same time this began happening, so I want to make
> sure if it's an issue in CR that I can file a useful bug report.
>
> When updating selinux-policy, do I have to update all the RPMs
> listed or will that one package suffice?
>
> Thanks - Trey _______________________________________________
> CentOS mailing list CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

Did you add additional file systems?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6cSiMACgkQrlYvE4MpobM8WACeIGj1s81r3N QTCy4eJBJ2W2Py
f7QAoLAE0M2iFxNh74f4L5hZx5O4GbpR
=nO5+
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-17-2011, 06:09 PM
Trey Dockendorf
 
Default Fwd: SELinux triggered during Libvirt snapshots

On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> > Forwarding back to list. ---------- Forwarded message ----------
> > From: "Trey Dockendorf" <treydock@gmail.com> Date: Oct 17, 2011
> > 10:06 AM Subject: Re: [CentOS] SELinux triggered during Libvirt
> > snapshots To: "Daniel J Walsh" <dwalsh@redhat.com>
> >
> >
> >
> > On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh <dwalsh@redhat.com>
> > wrote:
> >
> > On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>> I recently began getting periodic emails from SEalert that
> >>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access
> >>>> from the directory I store all my virtual machines for KVM.
> >>>>
> >>>> All VMs are stored under /vmstore , which is it's own mount
> >>>> point, and every file and folder under /vmstore currently has
> >>>> the correct context that was set by doing the following:
> >>>>
> >>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>> restorecon -R /vmstore
> >>>>
> >>>> So far I've noticed then when taking snapshots and also when
> >>>> using virsh to make changes to a domain's XML file. I
> >>>> haven't had any problems for the 3 or 4 months I've run this
> >>>> KVM server using SELinux on Enforcing, and so I'm not really
> >>>> sure what information is helpful to debug this. The server
> >>>> is CentOS 6 x86_64 updated to CR. This is the raw audit
> >>>> entry, (hostname removed)
> >>>>
> >>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
> >>>> denied { getattr } for pid=1842 comm="qemu-kvm" name="/"
> >>>> dev=dm-2 ino=2
> >>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> >>>> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
> >>>> arch=c000003e syscall=138 success=no exit=-13 a0=9
> >>>> a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107
> >>>> egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>
> >>>> I've attached the alert email as a quote below, (hostname
> >>>> removed)
> >>>>
> >>>> Any help is greatly appreciated, I've had to deal little
> >>>> with SELinux fortunately, but at the moment am not really
> >>>> sure if my snapshots are actually functional or if this is
> >>>> just some false positive.
> >>>>
> >>>> Thanks - Trey
> >>>>
> >>>> Summary
> >>>>>
> >>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>> access on /vmstore.
> >>>>>
> >>>>> Detailed Description
> >>>>>
> >>>>> SELinux denied access requested by qemu-kvm. It is not
> >>>>> expected that this
> >>>>>> access is required by qemu-kvm and this access may signal
> >>>>>> an intrusion attempt. It is also possible that the
> >>>>>> specific version or configuration of the application is
> >>>>>> causing it to require additional access.
> >>>>>
> >>>>> Allowing Access
> >>>>>
> >>>>> You can generate a local policy module to allow this access
> >>>>> - see FAQ
> >>>>>> Please file a bug report.
> >>>>>
> >>>>> Additional Information
> >>>>>
> >>>>> Source Context: system_u:system_r:svirt_t:s0:c772,c779
> >>>>>
> >>>>> Target Context: system_ubject_r:fs_t:s0
> >>>>>
> >>>>> Target Objects: /vmstore [ filesystem ]
> >>>>>
> >>>>> Source: qemu-kvm
> >>>>>
> >>>>> Source Path: /usr/libexec/qemu-kvm
> >>>>>
> >>>>> Port: <Unknown>
> >>>>>
> >>>>> Host: kvmhost.tld
> >>>>>
> >>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
> >>>>>
> >>>>> Target RPM Packages:
> >>>>>
> >>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
> >>>>>
> >>>>> Selinux Enabled: True
> >>>>>
> >>>>> Policy Type: targeted
> >>>>>
> >>>>> Enforcing Mode: Enforcing
> >>>>>
> >>>>> Plugin Name: catchall
> >>>>>
> >>>>> Host Name: kvmhost.tld
> >>>>>
> >>>>> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1
> >>>>> SMP Mon Jun 27
> >>>>>> 19:49:27 BST 2011 x86_64 x86_64
> >>>>>
> >>>>> Alert Count: 1
> >>>>>
> >>>>> First Seen: Fri Oct 14 18:20:50 2011
> >>>>>
> >>>>> Last Seen: Fri Oct 14 18:20:50 2011
> >>>>>
> >>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
> >>>>>
> >>>>> Line Numbers:
> >>>>>
> >>>>> Raw Audit Messages :
> >>>>>
> >>>>>
> >>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
> >>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
> >>>>>> name="/" dev=dm-2 ino=2
> >>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> >>>>>
> >>>>> node=kvmhost.tld type=SYSCALL
> >>>>> msg=audit(1318634450.285:28): arch=c000003e
> >>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> >>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
> >>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
> >>>>>> ses=4294967295 comm="qemu-kvm"
> >>>>>> exe="/usr/libexec/qemu-kvm"
> >>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>
> >>>>>
> >>>>>
> >>>> _______________________________________________ CentOS
> >>>> mailing list CentOS@centos.org
> >>>> http://lists.centos.org/mailman/listinfo/centos
> >
> >
> > THis is a bug in policy. It can be allowed for now.
> >
> > We have 6.2 selinux-policy preview package available on
> > http://people.redhat.com/dwalsh/SELinux/RHEL6
> >
> > I believe all that is happening is qemu-kvm is noticing you have a
> > file system mounted, and doing a getattr on it.
> >>
> >
> > Thanks for the help Dan. Is there something that could have
> > triggered this between 6.0 and 6.1? This server was updated to 6.0
> > CR around the same time this began happening, so I want to make
> > sure if it's an issue in CR that I can file a useful bug report.
> >
> > When updating selinux-policy, do I have to update all the RPMs
> > listed or will that one package suffice?
> >
> > Thanks - Trey _______________________________________________
> > CentOS mailing list CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
>
> Did you add additional file systems?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6cSiMACgkQrlYvE4MpobM8WACeIGj1s81r3N QTCy4eJBJ2W2Py
> f7QAoLAE0M2iFxNh74f4L5hZx5O4GbpR
> =nO5+
> -----END PGP SIGNATURE-----

Not after the upgrade. The same filesystems were in place using 6.0 and 6.0
CR. The only change was the upgrade to CR.

- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-17-2011, 07:06 PM
Daniel J Walsh
 
Default Fwd: SELinux triggered during Libvirt snapshots

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh@redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>>
> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
>> Forwarding back to list. ---------- Forwarded message ----------
>> From: "Trey Dockendorf" <treydock@gmail.com
>> <mailto:treydock@gmail.com>> Date: Oct 17, 2011 10:06 AM Subject:
>> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
>> "Daniel J Walsh" <dwalsh@redhat.com <mailto:dwalsh@redhat.com>>
>
>
>
>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
>> <dwalsh@redhat.com <mailto:dwalsh@redhat.com>> wrote:
>
>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
>>>>> I recently began getting periodic emails from SEalert that
>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>> access from the directory I store all my virtual machines
>>>>> for KVM.
>>>>>
>>>>> All VMs are stored under /vmstore , which is it's own
>>>>> mount point, and every file and folder under /vmstore
>>>>> currently has the correct context that was set by doing the
>>>>> following:
>>>>>
>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
>>>>> restorecon -R /vmstore
>>>>>
>>>>> So far I've noticed then when taking snapshots and also
>>>>> when using virsh to make changes to a domain's XML file.
>>>>> I haven't had any problems for the 3 or 4 months I've run
>>>>> this KVM server using SELinux on Enforcing, and so I'm not
>>>>> really sure what information is helpful to debug this. The
>>>>> server is CentOS 6 x86_64 updated to CR. This is the raw
>>>>> audit entry, (hostname removed)
>>>>>
>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
>>>>> name="/" dev=dm-2 ino=2
>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
>>>>> node=kvmhost.tld type=SYSCALL
>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138
>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>
>>>>> I've attached the alert email as a quote below, (hostname
>>>>> removed)
>>>>>
>>>>> Any help is greatly appreciated, I've had to deal little
>>>>> with SELinux fortunately, but at the moment am not really
>>>>> sure if my snapshots are actually functional or if this is
>>>>> just some false positive.
>>>>>
>>>>> Thanks - Trey
>>>>>
>>>>> Summary
>>>>>>
>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>>> access on /vmstore.
>>>>>>
>>>>>> Detailed Description
>>>>>>
>>>>>> SELinux denied access requested by qemu-kvm. It is not
>>>>>> expected that this
>>>>>>> access is required by qemu-kvm and this access may
>>>>>>> signal an intrusion attempt. It is also possible that
>>>>>>> the specific version or configuration of the
>>>>>>> application is causing it to require additional
>>>>>>> access.
>>>>>>
>>>>>> Allowing Access
>>>>>>
>>>>>> You can generate a local policy module to allow this
>>>>>> access - see FAQ
>>>>>>> Please file a bug report.
>>>>>>
>>>>>> Additional Information
>>>>>>
>>>>>> Source Context: system_u:system_r:svirt_t:s0:c772,c779
>>>>>>
>>>>>> Target Context: system_ubject_r:fs_t:s0
>>>>>>
>>>>>> Target Objects: /vmstore [ filesystem ]
>>>>>>
>>>>>> Source: qemu-kvm
>>>>>>
>>>>>> Source Path: /usr/libexec/qemu-kvm
>>>>>>
>>>>>> Port: <Unknown>
>>>>>>
>>>>>> Host: kvmhost.tld
>>>>>>
>>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
>>>>>>
>>>>>> Target RPM Packages:
>>>>>>
>>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
>>>>>>
>>>>>> Selinux Enabled: True
>>>>>>
>>>>>> Policy Type: targeted
>>>>>>
>>>>>> Enforcing Mode: Enforcing
>>>>>>
>>>>>> Plugin Name: catchall
>>>>>>
>>>>>> Host Name: kvmhost.tld
>>>>>>
>>>>>> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64
>>>>>> #1 SMP Mon Jun 27
>>>>>>> 19:49:27 BST 2011 x86_64 x86_64
>>>>>>
>>>>>> Alert Count: 1
>>>>>>
>>>>>> First Seen: Fri Oct 14 18:20:50 2011
>>>>>>
>>>>>> Last Seen: Fri Oct 14 18:20:50 2011
>>>>>>
>>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
>>>>>>
>>>>>> Line Numbers:
>>>>>>
>>>>>> Raw Audit Messages :
>>>>>>
>>>>>>
>>>>>>> node=kvmhost.tld type=AVC
>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr }
>>>>>>> for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2
>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
>>>>>>
>>>>>> node=kvmhost.tld type=SYSCALL
>>>>>> msg=audit(1318634450.285:28): arch=c000003e
>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
>>>>>>> ses=4294967295 comm="qemu-kvm"
>>>>>>> exe="/usr/libexec/qemu-kvm"
>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________ CentOS
>>>>> mailing list CentOS@centos.org <mailto:CentOS@centos.org>
>>>>> http://lists.centos.org/mailman/listinfo/centos
>
>
>> THis is a bug in policy. It can be allowed for now.
>
>> We have 6.2 selinux-policy preview package available on
>> http://people.redhat.com/dwalsh/SELinux/RHEL6
>
>> I believe all that is happening is qemu-kvm is noticing you have
>> a file system mounted, and doing a getattr on it.
>
>
>> Thanks for the help Dan. Is there something that could have
>> triggered this between 6.0 and 6.1? This server was updated to
>> 6.0 CR around the same time this began happening, so I want to
>> make sure if it's an issue in CR that I can file a useful bug
>> report.
>
>> When updating selinux-policy, do I have to update all the RPMs
>> listed or will that one package suffice?
>
>> Thanks - Trey _______________________________________________
>> CentOS mailing list CentOS@centos.org <mailto:CentOS@centos.org>
>> http://lists.centos.org/mailman/listinfo/centos
>
> Did you add additional file systems?
>
> Not after the upgrade. The same filesystems were in place using
> 6.0 and 6.0 CR. The only change was the upgrade to CR.
>
> - Trey
>

Well I have no idea. Anyways it is not a problem allowing this access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6cfMEACgkQrlYvE4MpobPg6wCg5YzlxAKeZ6 1E7EneEIkpw/A1
lNQAn073hud5trqccs4M5QeLI3vUMnD7
=rQB1
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-17-2011, 07:40 PM
Trey Dockendorf
 
Default Fwd: SELinux triggered during Libvirt snapshots

On Oct 17, 2011 2:06 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> > On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh@redhat.com
> > <mailto:dwalsh@redhat.com>> wrote:
> >>
> > On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> >> Forwarding back to list. ---------- Forwarded message ----------
> >> From: "Trey Dockendorf" <treydock@gmail.com
> >> <mailto:treydock@gmail.com>> Date: Oct 17, 2011 10:06 AM Subject:
> >> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
> >> "Daniel J Walsh" <dwalsh@redhat.com <mailto:dwalsh@redhat.com>>
> >
> >
> >
> >> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
> >> <dwalsh@redhat.com <mailto:dwalsh@redhat.com>> wrote:
> >
> >> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>>> I recently began getting periodic emails from SEalert that
> >>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>> access from the directory I store all my virtual machines
> >>>>> for KVM.
> >>>>>
> >>>>> All VMs are stored under /vmstore , which is it's own
> >>>>> mount point, and every file and folder under /vmstore
> >>>>> currently has the correct context that was set by doing the
> >>>>> following:
> >>>>>
> >>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>>> restorecon -R /vmstore
> >>>>>
> >>>>> So far I've noticed then when taking snapshots and also
> >>>>> when using virsh to make changes to a domain's XML file.
> >>>>> I haven't had any problems for the 3 or 4 months I've run
> >>>>> this KVM server using SELinux on Enforcing, and so I'm not
> >>>>> really sure what information is helpful to debug this. The
> >>>>> server is CentOS 6 x86_64 updated to CR. This is the raw
> >>>>> audit entry, (hostname removed)
> >>>>>
> >>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
> >>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
> >>>>> name="/" dev=dm-2 ino=2
> >>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> >>>>> node=kvmhost.tld type=SYSCALL
> >>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138
> >>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
> >>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> >>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
> >>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>
> >>>>> I've attached the alert email as a quote below, (hostname
> >>>>> removed)
> >>>>>
> >>>>> Any help is greatly appreciated, I've had to deal little
> >>>>> with SELinux fortunately, but at the moment am not really
> >>>>> sure if my snapshots are actually functional or if this is
> >>>>> just some false positive.
> >>>>>
> >>>>> Thanks - Trey
> >>>>>
> >>>>> Summary
> >>>>>>
> >>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>>> access on /vmstore.
> >>>>>>
> >>>>>> Detailed Description
> >>>>>>
> >>>>>> SELinux denied access requested by qemu-kvm. It is not
> >>>>>> expected that this
> >>>>>>> access is required by qemu-kvm and this access may
> >>>>>>> signal an intrusion attempt. It is also possible that
> >>>>>>> the specific version or configuration of the
> >>>>>>> application is causing it to require additional
> >>>>>>> access.
> >>>>>>
> >>>>>> Allowing Access
> >>>>>>
> >>>>>> You can generate a local policy module to allow this
> >>>>>> access - see FAQ
> >>>>>>> Please file a bug report.
> >>>>>>
> >>>>>> Additional Information
> >>>>>>
> >>>>>> Source Context: system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>
> >>>>>> Target Context: system_ubject_r:fs_t:s0
> >>>>>>
> >>>>>> Target Objects: /vmstore [ filesystem ]
> >>>>>>
> >>>>>> Source: qemu-kvm
> >>>>>>
> >>>>>> Source Path: /usr/libexec/qemu-kvm
> >>>>>>
> >>>>>> Port: <Unknown>
> >>>>>>
> >>>>>> Host: kvmhost.tld
> >>>>>>
> >>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
> >>>>>>
> >>>>>> Target RPM Packages:
> >>>>>>
> >>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
> >>>>>>
> >>>>>> Selinux Enabled: True
> >>>>>>
> >>>>>> Policy Type: targeted
> >>>>>>
> >>>>>> Enforcing Mode: Enforcing
> >>>>>>
> >>>>>> Plugin Name: catchall
> >>>>>>
> >>>>>> Host Name: kvmhost.tld
> >>>>>>
> >>>>>> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64
> >>>>>> #1 SMP Mon Jun 27
> >>>>>>> 19:49:27 BST 2011 x86_64 x86_64
> >>>>>>
> >>>>>> Alert Count: 1
> >>>>>>
> >>>>>> First Seen: Fri Oct 14 18:20:50 2011
> >>>>>>
> >>>>>> Last Seen: Fri Oct 14 18:20:50 2011
> >>>>>>
> >>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
> >>>>>>
> >>>>>> Line Numbers:
> >>>>>>
> >>>>>> Raw Audit Messages :
> >>>>>>
> >>>>>>
> >>>>>>> node=kvmhost.tld type=AVC
> >>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr }
> >>>>>>> for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2
> >>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> >>>>>>
> >>>>>> node=kvmhost.tld type=SYSCALL
> >>>>>> msg=audit(1318634450.285:28): arch=c000003e
> >>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> >>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
> >>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
> >>>>>>> ses=4294967295 comm="qemu-kvm"
> >>>>>>> exe="/usr/libexec/qemu-kvm"
> >>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> _______________________________________________ CentOS
> >>>>> mailing list CentOS@centos.org <mailto:CentOS@centos.org>
> >>>>> http://lists.centos.org/mailman/listinfo/centos
> >
> >
> >> THis is a bug in policy. It can be allowed for now.
> >
> >> We have 6.2 selinux-policy preview package available on
> >> http://people.redhat.com/dwalsh/SELinux/RHEL6
> >
> >> I believe all that is happening is qemu-kvm is noticing you have
> >> a file system mounted, and doing a getattr on it.
> >
> >
> >> Thanks for the help Dan. Is there something that could have
> >> triggered this between 6.0 and 6.1? This server was updated to
> >> 6.0 CR around the same time this began happening, so I want to
> >> make sure if it's an issue in CR that I can file a useful bug
> >> report.
> >
> >> When updating selinux-policy, do I have to update all the RPMs
> >> listed or will that one package suffice?
> >
> >> Thanks - Trey _______________________________________________
> >> CentOS mailing list CentOS@centos.org <mailto:CentOS@centos.org>
> >> http://lists.centos.org/mailman/listinfo/centos
> >
> > Did you add additional file systems?
> >
> > Not after the upgrade. The same filesystems were in place using
> > 6.0 and 6.0 CR. The only change was the upgrade to CR.
> >
> > - Trey
> >
>
> Well I have no idea. Anyways it is not a problem allowing this access.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6cfMEACgkQrlYvE4MpobPg6wCg5YzlxAKeZ6 1E7EneEIkpw/A1
> lNQAn073hud5trqccs4M5QeLI3vUMnD7
> =rQB1
> -----END PGP SIGNATURE-----

What do I have to do to allow that access? Or should I update to the
selinux-policy you linked ? Ive had little in the way of experience with
selinux so this is all new.

Thanks
- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-19-2011, 03:06 PM
Trey Dockendorf
 
Default Fwd: SELinux triggered during Libvirt snapshots

On Tue, Oct 18, 2011 at 7:30 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/17/2011 03:40 PM, Trey Dockendorf wrote:
> >
> > On Oct 17, 2011 2:06 PM, "Daniel J Walsh" <dwalsh@redhat.com
> > <mailto:dwalsh@redhat.com>> wrote:
> >>
> > On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> >> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh@redhat.com
> >> <mailto:dwalsh@redhat.com> <mailto:dwalsh@redhat.com
> >> <mailto:dwalsh@redhat.com>>> wrote:
> >
> >> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> >>> Forwarding back to list. ---------- Forwarded message
> >>> ---------- From: "Trey Dockendorf" <treydock@gmail.com
> >>> <mailto:treydock@gmail.com> <mailto:treydock@gmail.com
> >>> <mailto:treydock@gmail.com>>> Date: Oct
> >> 17, 2011 10:06 AM Subject:
> >>> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
> >>> "Daniel J Walsh" <dwalsh@redhat.com <mailto:dwalsh@redhat.com>
> >> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>>
> >
> >
> >
> >>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
> >>> <dwalsh@redhat.com <mailto:dwalsh@redhat.com>
> >> <mailto:dwalsh@redhat.com <mailto:dwalsh@redhat.com>>> wrote:
> >
> >>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>>>> I recently began getting periodic emails from SEalert
> >>>>>> that SELinux is preventing /usr/libexec/qemu-kvm
> >>>>>> "getattr" access from the directory I store all my
> >>>>>> virtual machines for KVM.
> >>>>>>
> >>>>>> All VMs are stored under /vmstore , which is it's own
> >>>>>> mount point, and every file and folder under /vmstore
> >>>>>> currently has the correct context that was set by doing
> >>>>>> the following:
> >>>>>>
> >>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>>>> restorecon -R /vmstore
> >>>>>>
> >>>>>> So far I've noticed then when taking snapshots and also
> >>>>>> when using virsh to make changes to a domain's XML file.
> >>>>>> I haven't had any problems for the 3 or 4 months I've
> >>>>>> run this KVM server using SELinux on Enforcing, and so
> >>>>>> I'm not really sure what information is helpful to debug
> >>>>>> this. The server is CentOS 6 x86_64 updated to CR. This
> >>>>>> is the raw audit entry, (hostname removed)
> >>>>>>
> >>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
> >>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
> >>>>>> name="/" dev=dm-2 ino=2
> >>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> >>>>>> node=kvmhost.tld type=SYSCALL
> >>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138
> >>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
> >>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> >>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
> >>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>>
> >>>>>> I've attached the alert email as a quote below,
> >>>>>> (hostname removed)
> >>>>>>
> >>>>>> Any help is greatly appreciated, I've had to deal little
> >>>>>> with SELinux fortunately, but at the moment am not
> >>>>>> really sure if my snapshots are actually functional or if
> >>>>>> this is just some false positive.
> >>>>>>
> >>>>>> Thanks - Trey
> >>>>>>
> >>>>>> Summary
> >>>>>>>
> >>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>>>> access on /vmstore.
> >>>>>>>
> >>>>>>> Detailed Description
> >>>>>>>
> >>>>>>> SELinux denied access requested by qemu-kvm. It is not
> >>>>>>> expected that this
> >>>>>>>> access is required by qemu-kvm and this access may
> >>>>>>>> signal an intrusion attempt. It is also possible
> >>>>>>>> that the specific version or configuration of the
> >>>>>>>> application is causing it to require additional
> >>>>>>>> access.
> >>>>>>>
> >>>>>>> Allowing Access
> >>>>>>>
> >>>>>>> You can generate a local policy module to allow this
> >>>>>>> access - see FAQ
> >>>>>>>> Please file a bug report.
> >>>>>>>
> >>>>>>> Additional Information
> >>>>>>>
> >>>>>>> Source Context:
> >>>>>>> system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>>
> >>>>>>> Target Context: system_ubject_r:fs_t:s0
> >>>>>>>
> >>>>>>> Target Objects: /vmstore [ filesystem ]
> >>>>>>>
> >>>>>>> Source: qemu-kvm
> >>>>>>>
> >>>>>>> Source Path: /usr/libexec/qemu-kvm
> >>>>>>>
> >>>>>>> Port: <Unknown>
> >>>>>>>
> >>>>>>> Host: kvmhost.tld
> >>>>>>>
> >>>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
> >>>>>>>
> >>>>>>> Target RPM Packages:
> >>>>>>>
> >>>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
> >>>>>>>
> >>>>>>> Selinux Enabled: True
> >>>>>>>
> >>>>>>> Policy Type: targeted
> >>>>>>>
> >>>>>>> Enforcing Mode: Enforcing
> >>>>>>>
> >>>>>>> Plugin Name: catchall
> >>>>>>>
> >>>>>>> Host Name: kvmhost.tld
> >>>>>>>
> >>>>>>> Platform: Linux kvmhost.tld
> >>>>>>> 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
> >>>>>>>> 19:49:27 BST 2011 x86_64 x86_64
> >>>>>>>
> >>>>>>> Alert Count: 1
> >>>>>>>
> >>>>>>> First Seen: Fri Oct 14 18:20:50 2011
> >>>>>>>
> >>>>>>> Last Seen: Fri Oct 14 18:20:50 2011
> >>>>>>>
> >>>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
> >>>>>>>
> >>>>>>> Line Numbers:
> >>>>>>>
> >>>>>>> Raw Audit Messages :
> >>>>>>>
> >>>>>>>
> >>>>>>>> node=kvmhost.tld type=AVC
> >>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr
> >>>>>>>> } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2
> >>>>>>>> ino=2
> >>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>>> tcontext=system_ubject_r:fs_t:s0 tclass=filesystem
> >>>>>>>
> >>>>>>> node=kvmhost.tld type=SYSCALL
> >>>>>>> msg=audit(1318634450.285:28): arch=c000003e
> >>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> >>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
> >>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
> >>>>>>>> ses=4294967295 comm="qemu-kvm"
> >>>>>>>> exe="/usr/libexec/qemu-kvm"
> >>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>>> key=(null)
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> _______________________________________________ CentOS
> >>>>>> mailing list CentOS@centos.org
> >>>>>> <mailto:CentOS@centos.org>
> >> <mailto:CentOS@centos.org <mailto:CentOS@centos.org>>
> >>>>>> http://lists.centos.org/mailman/listinfo/centos
> >
> >
> >>> THis is a bug in policy. It can be allowed for now.
> >
> >>> We have 6.2 selinux-policy preview package available on
> >>> http://people.redhat.com/dwalsh/SELinux/RHEL6
> >
> >>> I believe all that is happening is qemu-kvm is noticing you
> >>> have a file system mounted, and doing a getattr on it.
> >
> >
> >>> Thanks for the help Dan. Is there something that could have
> >>> triggered this between 6.0 and 6.1? This server was updated
> >>> to 6.0 CR around the same time this began happening, so I want
> >>> to make sure if it's an issue in CR that I can file a useful
> >>> bug report.
> >
> >>> When updating selinux-policy, do I have to update all the RPMs
> >>> listed or will that one package suffice?
> >
> >>> Thanks - Trey _______________________________________________
> >>> CentOS mailing list CentOS@centos.org
> >>> <mailto:CentOS@centos.org>
> >> <mailto:CentOS@centos.org <mailto:CentOS@centos.org>>
> >>> http://lists.centos.org/mailman/listinfo/centos
> >
> >> Did you add additional file systems?
> >
> >> Not after the upgrade. The same filesystems were in place using
> >> 6.0 and 6.0 CR. The only change was the upgrade to CR.
> >
> >> - Trey
> >
> >
> > Well I have no idea. Anyways it is not a problem allowing this
> > access.
> >
> > What do I have to do to allow that access? Or should I update to
> > the selinux-policy you linked ? Ive had little in the way of
> > experience with selinux so this is all new.
> >
> > Thanks - Trey
> >
>
> You can allow it by executing the following as root.
>
> # grep svirt /var/log/audit/audit.log | audit2allow -M mysvirt
> # semodule -i mysvirt.pp
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6dcVYACgkQrlYvE4MpobPduQCfZyY00S+74F BlLFqsBbk5bX5R
> YKIAnjM+/Gb2H7BUgqKbn6xPVJARrkii
> =uazZ
> -----END PGP SIGNATURE-----
>

That was easy enough, thanks for your help Daniel.

- Trey
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org