[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 18 12:30:18 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/17/2011 03:40 PM, Trey Dockendorf wrote:
>
> On Oct 17, 2011 2:06 PM, "Daniel J Walsh" <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>>
> On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
>> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com
>> <mailto:dwalsh at redhat.com> <mailto:dwalsh at redhat.com
>> <mailto:dwalsh at redhat.com>>> wrote:
>
>> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
>>> Forwarding back to list. ---------- Forwarded message
>>> ---------- From: "Trey Dockendorf" <treydock at gmail.com
>>> <mailto:treydock at gmail.com> <mailto:treydock at gmail.com
>>> <mailto:treydock at gmail.com>>> Date: Oct
>> 17, 2011 10:06 AM Subject:
>>> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
>>> "Daniel J Walsh" <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>>
>
>
>
>>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
>>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote:
>
>>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
>>>>>> I recently began getting periodic emails from SEalert
>>>>>> that SELinux is preventing /usr/libexec/qemu-kvm
>>>>>> "getattr" access from the directory I store all my
>>>>>> virtual machines for KVM.
>>>>>>
>>>>>> All VMs are stored under /vmstore , which is it's own
>>>>>> mount point, and every file and folder under /vmstore
>>>>>> currently has the correct context that was set by doing
>>>>>> the following:
>>>>>>
>>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
>>>>>> restorecon -R /vmstore
>>>>>>
>>>>>> So far I've noticed then when taking snapshots and also
>>>>>> when using virsh to make changes to a domain's XML file.
>>>>>> I haven't had any problems for the 3 or 4 months I've
>>>>>> run this KVM server using SELinux on Enforcing, and so
>>>>>> I'm not really sure what information is helpful to debug
>>>>>> this. The server is CentOS 6 x86_64 updated to CR. This
>>>>>> is the raw audit entry, (hostname removed)
>>>>>>
>>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
>>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
>>>>>> name="/" dev=dm-2 ino=2
>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>>>>> node=kvmhost.tld type=SYSCALL
>>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138
>>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
>>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
>>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
>>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
>>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>>
>>>>>> I've attached the alert email as a quote below,
>>>>>> (hostname removed)
>>>>>>
>>>>>> Any help is greatly appreciated, I've had to deal little
>>>>>> with SELinux fortunately, but at the moment am not
>>>>>> really sure if my snapshots are actually functional or if
>>>>>> this is just some false positive.
>>>>>>
>>>>>> Thanks - Trey
>>>>>>
>>>>>> Summary
>>>>>>>
>>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>>>> access on /vmstore.
>>>>>>>
>>>>>>> Detailed Description
>>>>>>>
>>>>>>> SELinux denied access requested by qemu-kvm. It is not
>>>>>>> expected that this
>>>>>>>> access is required by qemu-kvm and this access may
>>>>>>>> signal an intrusion attempt. It is also possible
>>>>>>>> that the specific version or configuration of the
>>>>>>>> application is causing it to require additional
>>>>>>>> access.
>>>>>>>
>>>>>>> Allowing Access
>>>>>>>
>>>>>>> You can generate a local policy module to allow this
>>>>>>> access - see FAQ
>>>>>>>> Please file a bug report.
>>>>>>>
>>>>>>> Additional Information
>>>>>>>
>>>>>>> Source Context:
>>>>>>> system_u:system_r:svirt_t:s0:c772,c779
>>>>>>>
>>>>>>> Target Context: system_u:object_r:fs_t:s0
>>>>>>>
>>>>>>> Target Objects: /vmstore [ filesystem ]
>>>>>>>
>>>>>>> Source: qemu-kvm
>>>>>>>
>>>>>>> Source Path: /usr/libexec/qemu-kvm
>>>>>>>
>>>>>>> Port: <Unknown>
>>>>>>>
>>>>>>> Host: kvmhost.tld
>>>>>>>
>>>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
>>>>>>>
>>>>>>> Target RPM Packages:
>>>>>>>
>>>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
>>>>>>>
>>>>>>> Selinux Enabled: True
>>>>>>>
>>>>>>> Policy Type: targeted
>>>>>>>
>>>>>>> Enforcing Mode: Enforcing
>>>>>>>
>>>>>>> Plugin Name: catchall
>>>>>>>
>>>>>>> Host Name: kvmhost.tld
>>>>>>>
>>>>>>> Platform: Linux kvmhost.tld
>>>>>>> 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
>>>>>>>> 19:49:27 BST 2011 x86_64 x86_64
>>>>>>>
>>>>>>> Alert Count: 1
>>>>>>>
>>>>>>> First Seen: Fri Oct 14 18:20:50 2011
>>>>>>>
>>>>>>> Last Seen: Fri Oct 14 18:20:50 2011
>>>>>>>
>>>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
>>>>>>>
>>>>>>> Line Numbers:
>>>>>>>
>>>>>>> Raw Audit Messages :
>>>>>>>
>>>>>>>
>>>>>>>> node=kvmhost.tld type=AVC
>>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr
>>>>>>>> } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2
>>>>>>>> ino=2
>>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>>>>>>
>>>>>>> node=kvmhost.tld type=SYSCALL
>>>>>>> msg=audit(1318634450.285:28): arch=c000003e
>>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
>>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
>>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
>>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
>>>>>>>> ses=4294967295 comm="qemu-kvm"
>>>>>>>> exe="/usr/libexec/qemu-kvm"
>>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779
>>>>>>>> key=(null)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________ CentOS
>>>>>> mailing list CentOS at centos.org
>>>>>> <mailto:CentOS at centos.org>
>> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>>
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>
>
>>> THis is a bug in policy. It can be allowed for now.
>
>>> We have 6.2 selinux-policy preview package available on
>>> http://people.redhat.com/dwalsh/SELinux/RHEL6
>
>>> I believe all that is happening is qemu-kvm is noticing you
>>> have a file system mounted, and doing a getattr on it.
>
>
>>> Thanks for the help Dan. Is there something that could have
>>> triggered this between 6.0 and 6.1? This server was updated
>>> to 6.0 CR around the same time this began happening, so I want
>>> to make sure if it's an issue in CR that I can file a useful
>>> bug report.
>
>>> When updating selinux-policy, do I have to update all the RPMs
>>> listed or will that one package suffice?
>
>>> Thanks - Trey _______________________________________________
>>> CentOS mailing list CentOS at centos.org
>>> <mailto:CentOS at centos.org>
>> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>>
>>> http://lists.centos.org/mailman/listinfo/centos
>
>> Did you add additional file systems?
>
>> Not after the upgrade. The same filesystems were in place using
>> 6.0 and 6.0 CR. The only change was the upgrade to CR.
>
>> - Trey
>
>
> Well I have no idea. Anyways it is not a problem allowing this
> access.
>
> What do I have to do to allow that access? Or should I update to
> the selinux-policy you linked ? Ive had little in the way of
> experience with selinux so this is all new.
>
> Thanks - Trey
>
You can allow it by executing the following as root.
# grep svirt /var/log/audit/audit.log | audit2allow -M mysvirt
# semodule -i mysvirt.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6dcVYACgkQrlYvE4MpobPduQCfZyY00S+74FBlLFqsBbk5bX5R
YKIAnjM+/Gb2H7BUgqKbn6xPVJARrkii
=uazZ
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list