Hi,
on an up to date CentOS 5.4 x86_64 (test machine), I systematically get the following SELinux denial when I start a QEMU/KVM virtual machine via virt-manager:
SELinux is preventing qemu-kvm (qemu_t) "execute" to /dev/zero (zero_device_t). (full alert below)
Running the command suggested by the alert (restorecon -v '/dev/zero') does not solve the problem.
This does not prevent the VM to run, but I would like to better understand what is happening here and the potential impact on performance. And if there is not impact, find a way to get rid of this warning...
Thanks in advance for any idea!
Mathieu
Summary:
SELinux is preventing qemu-kvm (qemu_t) "execute" to /dev/zero (zero_device_t).
Detailed Description:
SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/zero,
restorecon -v '/dev/zero'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:qemu_t:SystemLow-SystemHigh Target Context system_u:object_r:zero_device_t Target Objects /dev/zero [ chr_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host alma Source RPM Packages kvm-83-105.el5_4.13 Target RPM Packages Policy RPM selinux-policy-2.4.6-255.el5_4.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name alma Platform Linux alma 2.6.18-164.9.1.el5 #1 SMP Tue Dec 15 20:57:57 EST 2009 x86_64 x86_64 Alert Count 10 First Seen Tue 05 Jan 2010 05:12:20 AM CET Last Seen Tue 05 Jan 2010 05:22:03 AM CET Local ID 8fb024fb-aa09-4177-84d7-55e5156e9538 Line Numbers
Raw Audit Messages
host=alma type=AVC msg=audit(1262665323.833:106): avc: denied { execute } for pid=8901 comm="qemu-kvm" path="/dev/zero" dev=tmpfs ino=2421 scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file
host=alma type=SYSCALL msg=audit(1262665323.833:106): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=2000 a2=7 a3=2 items=0 ppid=1 pid=8901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)