[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots

Mon Oct 17 19:06:41 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com 
> <mailto:dwalsh at redhat.com>> wrote:
>> 
> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
>> Forwarding back to list. ---------- Forwarded message ---------- 
>> From: "Trey Dockendorf" <treydock at gmail.com 
>> <mailto:treydock at gmail.com>> Date: Oct 17, 2011 10:06 AM Subject:
>> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
>> "Daniel J Walsh" <dwalsh at redhat.com <mailto:dwalsh at redhat.com>>
> 
> 
> 
>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
> 
>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
>>>>> I recently began getting periodic emails from SEalert that 
>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>> access from the directory I store all my virtual machines
>>>>> for KVM.
>>>>> 
>>>>> All VMs are stored under /vmstore , which is it's own
>>>>> mount point, and every file and folder under /vmstore
>>>>> currently has the correct context that was set by doing the
>>>>> following:
>>>>> 
>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" 
>>>>> restorecon -R /vmstore
>>>>> 
>>>>> So far I've noticed then when taking snapshots and also
>>>>> when using virsh to make changes to a domain's XML file.
>>>>> I haven't had any problems for the 3 or 4 months I've run
>>>>> this KVM server using SELinux on Enforcing, and so I'm not
>>>>> really sure what information is helpful to debug this.  The
>>>>> server is CentOS 6 x86_64 updated to CR.  This is the raw
>>>>> audit entry, (hostname removed)
>>>>> 
>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
>>>>> name="/" dev=dm-2 ino=2 
>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 
>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 
>>>>> node=kvmhost.tld type=SYSCALL
>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138
>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295 
>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" 
>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>> 
>>>>> I've attached the alert email as a quote below, (hostname 
>>>>> removed)
>>>>> 
>>>>> Any help is greatly appreciated, I've had to deal little 
>>>>> with SELinux fortunately, but at the moment am not really 
>>>>> sure if my snapshots are actually functional or if this is 
>>>>> just some false positive.
>>>>> 
>>>>> Thanks - Trey
>>>>> 
>>>>> Summary
>>>>>> 
>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" 
>>>>>> access on /vmstore.
>>>>>> 
>>>>>> Detailed Description
>>>>>> 
>>>>>> SELinux denied access requested by qemu-kvm. It is not 
>>>>>> expected that this
>>>>>>> access is required by qemu-kvm and this access may
>>>>>>> signal an intrusion attempt. It is also possible that
>>>>>>> the specific version or configuration of the
>>>>>>> application is causing it to require additional
>>>>>>> access.
>>>>>> 
>>>>>> Allowing Access
>>>>>> 
>>>>>> You can generate a local policy module to allow this
>>>>>> access - see FAQ
>>>>>>> Please file a bug report.
>>>>>> 
>>>>>> Additional Information
>>>>>> 
>>>>>> Source Context:   system_u:system_r:svirt_t:s0:c772,c779
>>>>>> 
>>>>>> Target Context:   system_u:object_r:fs_t:s0
>>>>>> 
>>>>>> Target Objects:   /vmstore [ filesystem ]
>>>>>> 
>>>>>> Source:   qemu-kvm
>>>>>> 
>>>>>> Source Path:   /usr/libexec/qemu-kvm
>>>>>> 
>>>>>> Port:   <Unknown>
>>>>>> 
>>>>>> Host:   kvmhost.tld
>>>>>> 
>>>>>> Source RPM Packages:   qemu-kvm-0.12.1.2-2.160.el6_1.8
>>>>>> 
>>>>>> Target RPM Packages:
>>>>>> 
>>>>>> Policy RPM:   selinux-policy-3.7.19-93.el6_1.7
>>>>>> 
>>>>>> Selinux Enabled:   True
>>>>>> 
>>>>>> Policy Type:   targeted
>>>>>> 
>>>>>> Enforcing Mode:   Enforcing
>>>>>> 
>>>>>> Plugin Name:   catchall
>>>>>> 
>>>>>> Host Name:   kvmhost.tld
>>>>>> 
>>>>>> Platform:   Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64
>>>>>> #1 SMP Mon Jun 27
>>>>>>> 19:49:27 BST 2011 x86_64 x86_64
>>>>>> 
>>>>>> Alert Count:   1
>>>>>> 
>>>>>> First Seen:   Fri Oct 14 18:20:50 2011
>>>>>> 
>>>>>> Last Seen:   Fri Oct 14 18:20:50 2011
>>>>>> 
>>>>>> Local ID:   c73c7440-06ee-4611-80ac-712207ef9aa6
>>>>>> 
>>>>>> Line Numbers:
>>>>>> 
>>>>>> Raw Audit Messages :
>>>>>> 
>>>>>> 
>>>>>>> node=kvmhost.tld type=AVC
>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr }
>>>>>>> for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 
>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 
>>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>>>>> 
>>>>>> node=kvmhost.tld type=SYSCALL 
>>>>>> msg=audit(1318634450.285:28): arch=c000003e
>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 
>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 
>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 
>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) 
>>>>>>> ses=4294967295 comm="qemu-kvm" 
>>>>>>> exe="/usr/libexec/qemu-kvm" 
>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> _______________________________________________ CentOS 
>>>>> mailing list CentOS at centos.org <mailto:CentOS at centos.org> 
>>>>> http://lists.centos.org/mailman/listinfo/centos
> 
> 
>> THis is a bug in policy.  It can be allowed for now.
> 
>> We have 6.2 selinux-policy preview package available on 
>> http://people.redhat.com/dwalsh/SELinux/RHEL6
> 
>> I believe all that is happening is qemu-kvm is noticing you have
>> a file system mounted, and doing a getattr on it.
> 
> 
>> Thanks for the help Dan.  Is there something that could have 
>> triggered this between 6.0 and 6.1?  This server was updated to
>> 6.0 CR around the same time this began happening, so I want to
>> make sure if it's an issue in CR that I can file a useful bug
>> report.
> 
>> When updating selinux-policy, do I have to update all the RPMs 
>> listed or will that one package suffice?
> 
>> Thanks - Trey _______________________________________________ 
>> CentOS mailing list CentOS at centos.org <mailto:CentOS at centos.org> 
>> http://lists.centos.org/mailman/listinfo/centos
> 
> Did you add additional file systems?
> 
> Not after the upgrade.  The same filesystems were in place using
> 6.0 and 6.0 CR.  The only change was the upgrade to CR.
> 
> - Trey
> 

Well I have no idea.  Anyways it is not a problem allowing this access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6cfMEACgkQrlYvE4MpobPg6wCg5YzlxAKeZ61E7EneEIkpw/A1
lNQAn073hud5trqccs4M5QeLI3vUMnD7
=rQB1
-----END PGP SIGNATURE-----