On Oct 17, 2011 2:06 PM, "Daniel J Walsh" <dwalsh at redhat.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/17/2011 02:09 PM, Trey Dockendorf wrote: > > On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com > > <mailto:dwalsh at redhat.com>> wrote: > >> > > On 10/17/2011 11:19 AM, Trey Dockendorf wrote: > >> Forwarding back to list. ---------- Forwarded message ---------- > >> From: "Trey Dockendorf" <treydock at gmail.com > >> <mailto:treydock at gmail.com>> Date: Oct 17, 2011 10:06 AM Subject: > >> Re: [CentOS] SELinux triggered during Libvirt snapshots To: > >> "Daniel J Walsh" <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> > > > > > > > >> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh > >> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote: > > > >> On 10/14/2011 08:17 PM, Trey Dockendorf wrote: > >>>>> I recently began getting periodic emails from SEalert that > >>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" > >>>>> access from the directory I store all my virtual machines > >>>>> for KVM. > >>>>> > >>>>> All VMs are stored under /vmstore , which is it's own > >>>>> mount point, and every file and folder under /vmstore > >>>>> currently has the correct context that was set by doing the > >>>>> following: > >>>>> > >>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" > >>>>> restorecon -R /vmstore > >>>>> > >>>>> So far I've noticed then when taking snapshots and also > >>>>> when using virsh to make changes to a domain's XML file. > >>>>> I haven't had any problems for the 3 or 4 months I've run > >>>>> this KVM server using SELinux on Enforcing, and so I'm not > >>>>> really sure what information is helpful to debug this. The > >>>>> server is CentOS 6 x86_64 updated to CR. This is the raw > >>>>> audit entry, (hostname removed) > >>>>> > >>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): > >>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm" > >>>>> name="/" dev=dm-2 ino=2 > >>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 > >>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>>>> node=kvmhost.tld type=SYSCALL > >>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138 > >>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 > >>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 > >>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 > >>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295 > >>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" > >>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null) > >>>>> > >>>>> I've attached the alert email as a quote below, (hostname > >>>>> removed) > >>>>> > >>>>> Any help is greatly appreciated, I've had to deal little > >>>>> with SELinux fortunately, but at the moment am not really > >>>>> sure if my snapshots are actually functional or if this is > >>>>> just some false positive. > >>>>> > >>>>> Thanks - Trey > >>>>> > >>>>> Summary > >>>>>> > >>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" > >>>>>> access on /vmstore. > >>>>>> > >>>>>> Detailed Description > >>>>>> > >>>>>> SELinux denied access requested by qemu-kvm. It is not > >>>>>> expected that this > >>>>>>> access is required by qemu-kvm and this access may > >>>>>>> signal an intrusion attempt. It is also possible that > >>>>>>> the specific version or configuration of the > >>>>>>> application is causing it to require additional > >>>>>>> access. > >>>>>> > >>>>>> Allowing Access > >>>>>> > >>>>>> You can generate a local policy module to allow this > >>>>>> access - see FAQ > >>>>>>> Please file a bug report. > >>>>>> > >>>>>> Additional Information > >>>>>> > >>>>>> Source Context: system_u:system_r:svirt_t:s0:c772,c779 > >>>>>> > >>>>>> Target Context: system_u:object_r:fs_t:s0 > >>>>>> > >>>>>> Target Objects: /vmstore [ filesystem ] > >>>>>> > >>>>>> Source: qemu-kvm > >>>>>> > >>>>>> Source Path: /usr/libexec/qemu-kvm > >>>>>> > >>>>>> Port: <Unknown> > >>>>>> > >>>>>> Host: kvmhost.tld > >>>>>> > >>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8 > >>>>>> > >>>>>> Target RPM Packages: > >>>>>> > >>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7 > >>>>>> > >>>>>> Selinux Enabled: True > >>>>>> > >>>>>> Policy Type: targeted > >>>>>> > >>>>>> Enforcing Mode: Enforcing > >>>>>> > >>>>>> Plugin Name: catchall > >>>>>> > >>>>>> Host Name: kvmhost.tld > >>>>>> > >>>>>> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 > >>>>>> #1 SMP Mon Jun 27 > >>>>>>> 19:49:27 BST 2011 x86_64 x86_64 > >>>>>> > >>>>>> Alert Count: 1 > >>>>>> > >>>>>> First Seen: Fri Oct 14 18:20:50 2011 > >>>>>> > >>>>>> Last Seen: Fri Oct 14 18:20:50 2011 > >>>>>> > >>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6 > >>>>>> > >>>>>> Line Numbers: > >>>>>> > >>>>>> Raw Audit Messages : > >>>>>> > >>>>>> > >>>>>>> node=kvmhost.tld type=AVC > >>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr } > >>>>>>> for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 > >>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 > >>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>>>>> > >>>>>> node=kvmhost.tld type=SYSCALL > >>>>>> msg=audit(1318634450.285:28): arch=c000003e > >>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 > >>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 > >>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 > >>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) > >>>>>>> ses=4294967295 comm="qemu-kvm" > >>>>>>> exe="/usr/libexec/qemu-kvm" > >>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null) > >>>>>> > >>>>>> > >>>>>> > >>>>> _______________________________________________ CentOS > >>>>> mailing list CentOS at centos.org <mailto:CentOS at centos.org> > >>>>> http://lists.centos.org/mailman/listinfo/centos > > > > > >> THis is a bug in policy. It can be allowed for now. > > > >> We have 6.2 selinux-policy preview package available on > >> http://people.redhat.com/dwalsh/SELinux/RHEL6 > > > >> I believe all that is happening is qemu-kvm is noticing you have > >> a file system mounted, and doing a getattr on it. > > > > > >> Thanks for the help Dan. Is there something that could have > >> triggered this between 6.0 and 6.1? This server was updated to > >> 6.0 CR around the same time this began happening, so I want to > >> make sure if it's an issue in CR that I can file a useful bug > >> report. > > > >> When updating selinux-policy, do I have to update all the RPMs > >> listed or will that one package suffice? > > > >> Thanks - Trey _______________________________________________ > >> CentOS mailing list CentOS at centos.org <mailto:CentOS at centos.org> > >> http://lists.centos.org/mailman/listinfo/centos > > > > Did you add additional file systems? > > > > Not after the upgrade. The same filesystems were in place using > > 6.0 and 6.0 CR. The only change was the upgrade to CR. > > > > - Trey > > > > Well I have no idea. Anyways it is not a problem allowing this access. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk6cfMEACgkQrlYvE4MpobPg6wCg5YzlxAKeZ61E7EneEIkpw/A1 > lNQAn073hud5trqccs4M5QeLI3vUMnD7 > =rQB1 > -----END PGP SIGNATURE----- What do I have to do to allow that access? Or should I update to the selinux-policy you linked ? Ive had little in the way of experience with selinux so this is all new. Thanks - Trey