I recently began getting periodic emails from SEalert that SELinux is preventing /usr/libexec/qemu-kvm "getattr" access from the directory I store all my virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own mount point, and every file and folder under /vmstore currently has the correct context that was set by doing the following:
semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" restorecon -R /vmstore
So far I've noticed then when taking snapshots and also when using virsh to make changes to a domain's XML file. I haven't had any problems for the 3 or 4 months I've run this KVM server using SELinux on Enforcing, and so I'm not really sure what information is helpful to debug this. The server is CentOS 6 x86_64 updated to CR. This is the raw audit entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): arch=c000003e syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname removed)
Any help is greatly appreciated, I've had to deal little with SELinux fortunately, but at the moment am not really sure if my snapshots are actually functional or if this is just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not expected that this
access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ
Please file a bug report.
Additional Information
Source Context: system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: <Unknown>
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): arch=c000003e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert that SELinux is preventing /usr/libexec/qemu-kvm "getattr" access from the directory I store all my virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own mount point, and every file and folder under /vmstore currently has the correct context that was set by doing the following:
semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" restorecon -R /vmstore
So far I've noticed then when taking snapshots and also when using virsh to make changes to a domain's XML file. I haven't had any problems for the 3 or 4 months I've run this KVM server using SELinux on Enforcing, and so I'm not really sure what information is helpful to debug this. The server is CentOS 6 x86_64 updated to CR. This is the raw audit entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): arch=c000003e syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname removed)
Any help is greatly appreciated, I've had to deal little with SELinux fortunately, but at the moment am not really sure if my snapshots are actually functional or if this is just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm "getattr" access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not expected that this
access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ
Please file a bug report.
Additional Information
Source Context: system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: <Unknown>
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): arch=c000003e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
THis is a bug in policy. It can be allowed for now.
We have 6.2 selinux-policy preview package available on http://people.redhat.com/dwalsh/SELinux/RHEL6
I believe all that is happening is qemu-kvm is noticing you have a file system mounted, and doing a getattr on it.
-
Daniel J Walsh -
Trey Dockendorf