[CentOS] SELinux triggered during Libvirt snapshots

Daniel J Walsh dwalsh at redhat.com
Mon Oct 17 12:47:59 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> I recently began getting periodic emails from SEalert that SELinux
> is preventing /usr/libexec/qemu-kvm "getattr" access from the
> directory I store all my virtual machines for KVM.
> 
> All VMs are stored under /vmstore , which is it's own mount point,
> and every file and folder under /vmstore currently has the correct
> context that was set by doing the following:
> 
> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" restorecon -R
> /vmstore
> 
> So far I've noticed then when taking snapshots and also when using
> virsh to make changes to a domain's XML file.  I haven't had any
> problems for the 3 or 4 months I've run this KVM server using
> SELinux on Enforcing, and so I'm not really sure what information
> is helpful to debug this.  The server is CentOS 6 x86_64 updated to
> CR.  This is the raw audit entry, (hostname removed)
> 
> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied
> { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 
> scontext=system_u:system_r:svirt_t:s0:c772,c779 
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 
> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
> arch=c000003e syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107
> fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm"
> exe="/usr/libexec/qemu-kvm" 
> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> 
> I've attached the alert email as a quote below, (hostname removed)
> 
> Any help is greatly appreciated, I've had to deal little with
> SELinux fortunately, but at the moment am not really sure if my
> snapshots are actually functional or if this is just some false
> positive.
> 
> Thanks - Trey
> 
> Summary
>> 
>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on
>> /vmstore.
>> 
>> Detailed Description
>> 
>> SELinux denied access requested by qemu-kvm. It is not expected
>> that this
>>> access is required by qemu-kvm and this access may signal an
>>> intrusion attempt. It is also possible that the specific
>>> version or configuration of the application is causing it to
>>> require additional access.
>> 
>> Allowing Access
>> 
>> You can generate a local policy module to allow this access - see
>> FAQ
>>> Please file a bug report.
>> 
>> Additional Information
>> 
>> Source Context:   system_u:system_r:svirt_t:s0:c772,c779
>> 
>> Target Context:   system_u:object_r:fs_t:s0
>> 
>> Target Objects:   /vmstore [ filesystem ]
>> 
>> Source:   qemu-kvm
>> 
>> Source Path:   /usr/libexec/qemu-kvm
>> 
>> Port:   <Unknown>
>> 
>> Host:   kvmhost.tld
>> 
>> Source RPM Packages:   qemu-kvm-0.12.1.2-2.160.el6_1.8
>> 
>> Target RPM Packages:
>> 
>> Policy RPM:   selinux-policy-3.7.19-93.el6_1.7
>> 
>> Selinux Enabled:   True
>> 
>> Policy Type:   targeted
>> 
>> Enforcing Mode:   Enforcing
>> 
>> Plugin Name:   catchall
>> 
>> Host Name:   kvmhost.tld
>> 
>> Platform:   Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1 SMP
>> Mon Jun 27
>>> 19:49:27 BST 2011 x86_64 x86_64
>> 
>> Alert Count:   1
>> 
>> First Seen:   Fri Oct 14 18:20:50 2011
>> 
>> Last Seen:   Fri Oct 14 18:20:50 2011
>> 
>> Local ID:   c73c7440-06ee-4611-80ac-712207ef9aa6
>> 
>> Line Numbers:
>> 
>> Raw Audit Messages :
>> 
>> 
>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
>>> denied { getattr } for pid=1842 comm="qemu-kvm" name="/"
>>> dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779 
>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>> 
>> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
>> arch=c000003e
>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107
>>> gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107
>>> tty=(none) ses=4294967295 comm="qemu-kvm"
>>> exe="/usr/libexec/qemu-kvm" 
>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>> 
>> 
>> 
> _______________________________________________ CentOS mailing
> list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos


THis is a bug in policy.  It can be allowed for now.

We have 6.2 selinux-policy preview package available on
http://people.redhat.com/dwalsh/SELinux/RHEL6

I believe all that is happening is qemu-kvm is noticing you have a
file system mounted, and doing a getattr on it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6cI/8ACgkQrlYvE4MpobM6/QCg1qs8iK+dVRsPNVB+QXgr0zEN
+EMAnAghOHYB4INQ/NH1D4i9k3uJD7Ob
=TfIB
-----END PGP SIGNATURE-----

More information about the CentOS mailing list