Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   KVM image problems (http://www.linux-archive.org/fedora-selinux-support/112565-kvm-image-problems.html)

Adam Huffman 06-24-2008 11:57 AM

KVM image problems
 
Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm
now seeing errors when running a virtual machine via KVM.


The image was created in virt-install quite a while ago:

-rwxr-xr-x root root system_u:object_r:xen_image_t XP1

However, after changing to enforcing mode I saw lots of these errors:



Summary:

SELinux is preventing qemu-kvm (qemu_t) "write" to /var/lib/xen/images/XP1
(xen_image_t).

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that
this access
is required by qemu-kvm and this access may signal an intrusion
attempt. It is
also possible that the specific version or configuration of the
application is

causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try
to restore

the default system file context for /var/lib/xen/images/XP1,

restorecon -v '/var/lib/xen/images/XP1'

If this does not work, there is currently no automatic way to allow
this access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.

Additional Information:

Source Context system_u:system_r:qemu_t
Target Context user_u:object_r:xen_image_t
Target Objects /var/lib/xen/images/XP1 [ file ]
Source qemu-kvm
Source Path /usr/bin/qemu-kvm
Port <Unknown>
Host saintloup.smith.man.ac.uk
Source RPM Packages kvm-65-7.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-64.fc9

Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name saintloup.smith.man.ac.uk
Platform Linux saintloup.smith.man.ac.uk
2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10
16:05:21

EDT 2008 x86_64 x86_64
Alert Count 105
First Seen Tue 24 Jun 2008 11:14:08 BST
Last Seen Tue 24 Jun 2008 11:15:23 BST
Local ID ae1ef75a-23f4-495d-af20-604d56fa2cde
Line Numbers

Raw Audit Messages

host=saintloup.smith.man.ac.uk type=AVC
msg=audit(1214302523.807:45871): avc: denied { write } for pid=6827
comm="qemu-kvm" path="/var/lib/xen/images/XP1" dev=dm-6 ino=2621983
scontext=system_u:system_r:qemu_t:s0
tcontext=user_u:object_r:xen_image_t:s0 tclass=file


host=saintloup.smith.man.ac.uk type=SYSCALL
msg=audit(1214302523.807:45871): arch=c000003e syscall=1 success=no
exit=-13 a0=5 a1=364ea00 a2=200 a3=1 items=0 ppid=3284 pid=6827
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)





I received a permission denied error when I tried manually to change the
file to system_u:system_r:qemu_t and restorecon -v doesn't seem to do
anything.


Adam

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

"Daniel P. Berrange" 06-24-2008 01:49 PM

KVM image problems
 
On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote:
> Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm
> now seeing errors when running a virtual machine via KVM.
>
> The image was created in virt-install quite a while ago:
>
> -rwxr-xr-x root root system_u:object_r:xen_image_t XP1
>
> However, after changing to enforcing mode I saw lots of these errors:

Xen is not KVM.

Your image has the xen_image_t label because its in /var/lib/xen/images

By default KVM images live in /var/lib/libvirt/images/ and have
virt_image_t label. Xen probably ought to be allowed to read virt_image_t
and then we should change /var/lib/xen/images/ to also be virt_image_t
and get rid of xen_image_t. It is not nice to have different labels and
locations for different virt technology. So we should make sure everything
is using the generic virt_image_t

In the meantime you can either move your images or relabel them to be
virT_image_t for use with KVM

Regards,
Daniel.
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Adam Huffman 06-24-2008 03:34 PM

KVM image problems
 
Daniel P. Berrange wrote:

On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote:

Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm
now seeing errors when running a virtual machine via KVM.


The image was created in virt-install quite a while ago:

-rwxr-xr-x root root system_u:object_r:xen_image_t XP1

However, after changing to enforcing mode I saw lots of these errors:



Xen is not KVM.

Your image has the xen_image_t label because its in /var/lib/xen/images


Yes, I always found that location a bit odd, but that's where I was told
to put them
the last time I had similar trouble (i.e. if I didn't put them in
/var/lib/xen/images, they wouldn't

pick up the right context).


By default KVM images live in /var/lib/libvirt/images/ and have
virt_image_t label. Xen probably ought to be allowed to read virt_image_t
and then we should change /var/lib/xen/images/ to also be virt_image_t
and get rid of xen_image_t. It is not nice to have different labels and
locations for different virt technology. So we should make sure everything
is using the generic virt_image_t




That would be simpler, yes.

In the meantime you can either move your images or relabel them to be
virT_image_t for use with KVM



Yes, I've relabeled and that seems to have worked for now.

On a related point, will I need to apply virt_image_t to .iso files I'm
mounting in

these VMs?

Thanks,
Adam

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 06-25-2008 11:24 AM

KVM image problems
 
Adam Huffman wrote:
> Daniel P. Berrange wrote:
>> On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote:
>>
>>> Having applied Dan Walsh's suggested fix for a SpamAssassin problem,
>>> I'm now seeing errors when running a virtual machine via KVM.
>>>
>>> The image was created in virt-install quite a while ago:
>>>
>>> -rwxr-xr-x root root system_u:object_r:xen_image_t XP1
>>>
>>> However, after changing to enforcing mode I saw lots of these errors:
>>>
>>
>> Xen is not KVM.
>>
>> Your image has the xen_image_t label because its in /var/lib/xen/images
>>
>>
> Yes, I always found that location a bit odd, but that's where I was told
> to put them
> the last time I had similar trouble (i.e. if I didn't put them in
> /var/lib/xen/images, they wouldn't
> pick up the right context).
>
>> By default KVM images live in /var/lib/libvirt/images/ and have
>> virt_image_t label. Xen probably ought to be allowed to read virt_image_t
>> and then we should change /var/lib/xen/images/ to also be virt_image_t
>> and get rid of xen_image_t. It is not nice to have different labels and
>> locations for different virt technology. So we should make sure
>> everything
>> is using the generic virt_image_t
>>
>>
>
> That would be simpler, yes.
>> In the meantime you can either move your images or relabel them to be
>> virT_image_t for use with KVM
>>
>>
> Yes, I've relabeled and that seems to have worked for now.
>
> On a related point, will I need to apply virt_image_t to .iso files I'm
> mounting in
> these VMs?
>
> Thanks,
> Adam
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No just image files.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 12:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.