FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 02-13-2008, 06:51 PM
"Tom London"
 
Default qemu-kvm AVC

Hadn't run qemu-kvm for a bit.

Now get this AVC (both enforcing/targeted):


type=AVC msg=audit(1202932089.281:48): avc: denied { execmem } for
pid=10351 comm="qemu-kvm"
scontext=unconfined_u:unconfined_r:unconfined_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1202932089.281:48): arch=40000003 syscall=125
success=no exit=-13 a0=8df0000 a1=1001000 a2=7 a3=a7d5358 items=0
ppid=3049 pid=10351 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:unconfined_t:s0
key=(null)

Not sure if it interferes with anything....

tom
--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 02:58 PM
"Tom London"
 
Default qemu-kvm AVC

On Wed, Feb 13, 2008 at 11:51 AM, Tom London <selinux@gmail.com> wrote:
> Hadn't run qemu-kvm for a bit.
>
> Now get this AVC (both enforcing/targeted):
>
>
> type=AVC msg=audit(1202932089.281:48): avc: denied { execmem } for
> pid=10351 comm="qemu-kvm"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
> type=SYSCALL msg=audit(1202932089.281:48): arch=40000003 syscall=125
> success=no exit=-13 a0=8df0000 a1=1001000 a2=7 a3=a7d5358 items=0
> ppid=3049 pid=10351 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="qemu-kvm"
> exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:unconfined_t:s0
> key=(null)
>
> Not sure if it interferes with anything....
>
Believe this causes this:

Feb 14 07:55:10 localhost kernel: qemu-kvm[7350] general protection
ip:80d6ffd sp:bfb48e40 error:0 in qemu-kvm[8047000+12d000]
Feb 14 07:55:10 localhost setroubleshoot: SELinux is preventing
qemu-kvm from changing a writable memory segment executable. For
complete SELinux messages. run sealert -l
f7ee40db-9506-48d2-bde6-396eb39ef085


--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 07:21 PM
Daniel J Walsh
 
Default qemu-kvm AVC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> On Wed, Feb 13, 2008 at 11:51 AM, Tom London <selinux@gmail.com> wrote:
>> Hadn't run qemu-kvm for a bit.
>>
>> Now get this AVC (both enforcing/targeted):
>>
>>
>> type=AVC msg=audit(1202932089.281:48): avc: denied { execmem } for
>> pid=10351 comm="qemu-kvm"
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
>> type=SYSCALL msg=audit(1202932089.281:48): arch=40000003 syscall=125
>> success=no exit=-13 a0=8df0000 a1=1001000 a2=7 a3=a7d5358 items=0
>> ppid=3049 pid=10351 auid=500 uid=500 gid=500 euid=500 suid=500
>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="qemu-kvm"
>> exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:unconfined_t:s0
>> key=(null)
>>
>> Not sure if it interferes with anything....
>>
> Believe this causes this:
>
> Feb 14 07:55:10 localhost kernel: qemu-kvm[7350] general protection
> ip:80d6ffd sp:bfb48e40 error:0 in qemu-kvm[8047000+12d000]
> Feb 14 07:55:10 localhost setroubleshoot: SELinux is preventing
> qemu-kvm from changing a writable memory segment executable. For
> complete SELinux messages. run sealert -l
> f7ee40db-9506-48d2-bde6-396eb39ef085
>
>

There is a new boolean
allow_unconfined_qemu_transition

That will run qemu under a confined domain. So if you turn it on, you
get execmem.

Todays rawhide should give it execmem if the transition is off also.

I use virt-manager to start my qemu. which runs them in a confined domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke0otcACgkQrlYvE4MpobMCMgCgnsnXewf7pK dOS/HKf4+KUlNe
ZcoAn2px7fqoSpEGnpJuQZ3jpMZqF+p8
=EsjB
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org