[CentOS-virt] SELinux killed my qemu-kvm
David McGuffey
davidmcguffey at verizon.net
Fri Feb 24 17:58:06 EST 2012
All of a sudden, Virtual Machine Manager (VMM) on a CentOS 5.7 load will
no longer run any VMs.
The VM worked A-OK on the morning of 23 Feb, when I brought it up,
applied the Microsoft updates, rebooted it, installed an application,
rebooted again and ran several tests. Later that day, it wouldn't run.
I didn't have time to diagnose, so I did some investigation a few
minutes ago.
Working my way through some checks, it appears to be an SELinux problem
(new).
[root at desk log]# uname -r
2.6.18-274.18.1.el5
>From /var/log/yum.log:
Feb 21 19:07:01 Updated: 2:libpng-1.2.10-15.el5_7.x86_64
Feb 21 19:07:01 Updated: 2:libpng-devel-1.2.10-15.el5_7.x86_64
Feb 21 19:07:01 Updated: 2:libpng-1.2.10-15.el5_7.i386
Previous yum update ran on 19 Feb. However, the virtual machine ran very
well on the morning of 23 Feb, when I brought it up, so it can't be any
updates from yum on the host.
Here is the VMM Error Message:
Error starting domain: internal error Process exited while reading
console log output: qemu: could not open disk image /dev/hda
And the VMM Details:
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/engine.py", line 501, in
run_domain
vm.startup()
File "/usr/share/virt-manager/virtManager/domain.py", line 576, in
startup
self.vm.create()
File "/usr/lib64/python2.4/site-packages/libvirt.py", line 333, in
create
if ret == -1: raise libvirtError ('virDomainCreate() failed',
dom=self)
libvirtError: internal error Process exited while reading console log
output: qemu: could not open disk image /dev/hda
Excerpt from /var/log/messages:
Feb 24 17:25:28 desk libvirtd: 17:25:28.531: error :
virDomainDiskDefForeachPath:7637 : unable to open disk path /dev/hda: No
medium found
Feb 24 17:25:28 desk kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 24 17:25:28 desk kernel: tun: (C) 1999-2004 Max Krasnyansky
<maxk at qualcomm.com>
Feb 24 17:25:28 desk kernel: device vnet0 entered promiscuous mode
Feb 24 17:25:28 desk kernel: New device vnet0 does not support netpoll
Feb 24 17:25:28 desk kernel: Disabling netpoll for virbr0
Feb 24 17:25:28 desk kernel: virbr0: topology change detected,
propagating
Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering forwarding
state
Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering disabled
state
Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering disabled
state
Feb 24 17:25:28 desk kernel: device vnet0 left promiscuous mode
Feb 24 17:25:28 desk kernel: virbr0: port 1(vnet0) entering disabled
state
Feb 24 17:25:28 desk setroubleshoot: SELinux is preventing
pam_console_app (pam_console_t) "getattr" to /dev/hda (virt_content_t).
For complete SELinux messages. run sealert -l
9ee6c9a9-3eda-4082-84d3-5741ea9ff688
SELinux alert summary
SELinux is preventing pam_console_app (pam_console_t) "getattr"
to /dev/hda
(virt_content_t).
Detailed Description:
SELinux denied access requested by pam_console_app. It is not expected
that this
access is required by pam_console_app and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /dev/hda,
restorecon -v '/dev/hda'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:pam_console_t:SystemLow-
SystemHigh
Target Context system_u:object_r:virt_content_t
Target Objects /dev/hda [ blk_file ]
Source pam_console_app
Source Path /sbin/pam_console_apply
Port <Unknown>
Host desk.mcguffeyfamily.net
Source RPM Packages internallab pam-0.99.6.2-6.el5_5.2
Target RPM Packages
Policy RPM selinux-policy-2.4.6-316.el5_7.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name desk.mcguffeyfamily.net
Platform Linux desk.mcguffeyfamily.net
2.6.18-274.18.1.el5
#1 SMP Thu Feb 9 12:45:44 EST 2012 x86_64
x86_64
Alert Count 163
First Seen Wed 13 Apr 2011 08:41:32 AM EDT
Last Seen Fri 24 Feb 2012 05:25:28 PM EST
Local ID 9ee6c9a9-3eda-4082-84d3-5741ea9ff688
Line Numbers
Raw Audit Messages
host=desk.internallab.net type=AVC msg=audit(1330122328.766:39): avc:
denied { getattr } for pid=3427 comm="pam_console_app" path="/dev/hda"
dev=tmpfs ino=6316
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file
host=desk.internallab.net type=SYSCALL msg=audit(1330122328.766:39):
arch=c000003e syscall=4 success=no exit=-13 a0=7fff56fe6140
a1=7fff56fe6170 a2=7fff56fe6170 a3=c5df105 items=0 ppid=3417 pid=3427
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="pam_console_app"
exe="/sbin/pam_console_apply"
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 key=(null)
I did a touch /.autorelabel; sync; reboot
and received the same error message.
I then followed the guidance in the sealert:
[root at desk log]# restorecon -v /dev/hda
restorecon reset /dev/hda context
system_u:object_r:virt_content_t:s0->system_u:object_r:fixed_disk_device_t:s0
And tried to start the VM with no success:
[root at desk images]# virsh start Win7-base
error: Failed to start domain Win7-base
error: internal error Process exited while reading console log output:
qemu: could not open disk image /dev/hda
Any thoughts?
Dave
More information about the CentOS-virt
mailing list