On Tue, Oct 18, 2011 at 7:30 AM, Daniel J Walsh <dwalsh at redhat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/17/2011 03:40 PM, Trey Dockendorf wrote: > > > > On Oct 17, 2011 2:06 PM, "Daniel J Walsh" <dwalsh at redhat.com > > <mailto:dwalsh at redhat.com>> wrote: > >> > > On 10/17/2011 02:09 PM, Trey Dockendorf wrote: > >> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com > >> <mailto:dwalsh at redhat.com> <mailto:dwalsh at redhat.com > >> <mailto:dwalsh at redhat.com>>> wrote: > > > >> On 10/17/2011 11:19 AM, Trey Dockendorf wrote: > >>> Forwarding back to list. ---------- Forwarded message > >>> ---------- From: "Trey Dockendorf" <treydock at gmail.com > >>> <mailto:treydock at gmail.com> <mailto:treydock at gmail.com > >>> <mailto:treydock at gmail.com>>> Date: Oct > >> 17, 2011 10:06 AM Subject: > >>> Re: [CentOS] SELinux triggered during Libvirt snapshots To: > >>> "Daniel J Walsh" <dwalsh at redhat.com <mailto:dwalsh at redhat.com> > >> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> > > > > > > > >>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh > >>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com> > >> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote: > > > >>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote: > >>>>>> I recently began getting periodic emails from SEalert > >>>>>> that SELinux is preventing /usr/libexec/qemu-kvm > >>>>>> "getattr" access from the directory I store all my > >>>>>> virtual machines for KVM. > >>>>>> > >>>>>> All VMs are stored under /vmstore , which is it's own > >>>>>> mount point, and every file and folder under /vmstore > >>>>>> currently has the correct context that was set by doing > >>>>>> the following: > >>>>>> > >>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" > >>>>>> restorecon -R /vmstore > >>>>>> > >>>>>> So far I've noticed then when taking snapshots and also > >>>>>> when using virsh to make changes to a domain's XML file. > >>>>>> I haven't had any problems for the 3 or 4 months I've > >>>>>> run this KVM server using SELinux on Enforcing, and so > >>>>>> I'm not really sure what information is helpful to debug > >>>>>> this. The server is CentOS 6 x86_64 updated to CR. This > >>>>>> is the raw audit entry, (hostname removed) > >>>>>> > >>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): > >>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm" > >>>>>> name="/" dev=dm-2 ino=2 > >>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 > >>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>>>>> node=kvmhost.tld type=SYSCALL > >>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138 > >>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 > >>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 > >>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 > >>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295 > >>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" > >>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null) > >>>>>> > >>>>>> I've attached the alert email as a quote below, > >>>>>> (hostname removed) > >>>>>> > >>>>>> Any help is greatly appreciated, I've had to deal little > >>>>>> with SELinux fortunately, but at the moment am not > >>>>>> really sure if my snapshots are actually functional or if > >>>>>> this is just some false positive. > >>>>>> > >>>>>> Thanks - Trey > >>>>>> > >>>>>> Summary > >>>>>>> > >>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" > >>>>>>> access on /vmstore. > >>>>>>> > >>>>>>> Detailed Description > >>>>>>> > >>>>>>> SELinux denied access requested by qemu-kvm. It is not > >>>>>>> expected that this > >>>>>>>> access is required by qemu-kvm and this access may > >>>>>>>> signal an intrusion attempt. It is also possible > >>>>>>>> that the specific version or configuration of the > >>>>>>>> application is causing it to require additional > >>>>>>>> access. > >>>>>>> > >>>>>>> Allowing Access > >>>>>>> > >>>>>>> You can generate a local policy module to allow this > >>>>>>> access - see FAQ > >>>>>>>> Please file a bug report. > >>>>>>> > >>>>>>> Additional Information > >>>>>>> > >>>>>>> Source Context: > >>>>>>> system_u:system_r:svirt_t:s0:c772,c779 > >>>>>>> > >>>>>>> Target Context: system_u:object_r:fs_t:s0 > >>>>>>> > >>>>>>> Target Objects: /vmstore [ filesystem ] > >>>>>>> > >>>>>>> Source: qemu-kvm > >>>>>>> > >>>>>>> Source Path: /usr/libexec/qemu-kvm > >>>>>>> > >>>>>>> Port: <Unknown> > >>>>>>> > >>>>>>> Host: kvmhost.tld > >>>>>>> > >>>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8 > >>>>>>> > >>>>>>> Target RPM Packages: > >>>>>>> > >>>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7 > >>>>>>> > >>>>>>> Selinux Enabled: True > >>>>>>> > >>>>>>> Policy Type: targeted > >>>>>>> > >>>>>>> Enforcing Mode: Enforcing > >>>>>>> > >>>>>>> Plugin Name: catchall > >>>>>>> > >>>>>>> Host Name: kvmhost.tld > >>>>>>> > >>>>>>> Platform: Linux kvmhost.tld > >>>>>>> 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27 > >>>>>>>> 19:49:27 BST 2011 x86_64 x86_64 > >>>>>>> > >>>>>>> Alert Count: 1 > >>>>>>> > >>>>>>> First Seen: Fri Oct 14 18:20:50 2011 > >>>>>>> > >>>>>>> Last Seen: Fri Oct 14 18:20:50 2011 > >>>>>>> > >>>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6 > >>>>>>> > >>>>>>> Line Numbers: > >>>>>>> > >>>>>>> Raw Audit Messages : > >>>>>>> > >>>>>>> > >>>>>>>> node=kvmhost.tld type=AVC > >>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr > >>>>>>>> } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 > >>>>>>>> ino=2 > >>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 > >>>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > >>>>>>> > >>>>>>> node=kvmhost.tld type=SYSCALL > >>>>>>> msg=audit(1318634450.285:28): arch=c000003e > >>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 > >>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 > >>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 > >>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) > >>>>>>>> ses=4294967295 comm="qemu-kvm" > >>>>>>>> exe="/usr/libexec/qemu-kvm" > >>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 > >>>>>>>> key=(null) > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> _______________________________________________ CentOS > >>>>>> mailing list CentOS at centos.org > >>>>>> <mailto:CentOS at centos.org> > >> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>> > >>>>>> http://lists.centos.org/mailman/listinfo/centos > > > > > >>> THis is a bug in policy. It can be allowed for now. > > > >>> We have 6.2 selinux-policy preview package available on > >>> http://people.redhat.com/dwalsh/SELinux/RHEL6 > > > >>> I believe all that is happening is qemu-kvm is noticing you > >>> have a file system mounted, and doing a getattr on it. > > > > > >>> Thanks for the help Dan. Is there something that could have > >>> triggered this between 6.0 and 6.1? This server was updated > >>> to 6.0 CR around the same time this began happening, so I want > >>> to make sure if it's an issue in CR that I can file a useful > >>> bug report. > > > >>> When updating selinux-policy, do I have to update all the RPMs > >>> listed or will that one package suffice? > > > >>> Thanks - Trey _______________________________________________ > >>> CentOS mailing list CentOS at centos.org > >>> <mailto:CentOS at centos.org> > >> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>> > >>> http://lists.centos.org/mailman/listinfo/centos > > > >> Did you add additional file systems? > > > >> Not after the upgrade. The same filesystems were in place using > >> 6.0 and 6.0 CR. The only change was the upgrade to CR. > > > >> - Trey > > > > > > Well I have no idea. Anyways it is not a problem allowing this > > access. > > > > What do I have to do to allow that access? Or should I update to > > the selinux-policy you linked ? Ive had little in the way of > > experience with selinux so this is all new. > > > > Thanks - Trey > > > > You can allow it by executing the following as root. > > # grep svirt /var/log/audit/audit.log | audit2allow -M mysvirt > # semodule -i mysvirt.pp > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk6dcVYACgkQrlYvE4MpobPduQCfZyY00S+74FBlLFqsBbk5bX5R > YKIAnjM+/Gb2H7BUgqKbn6xPVJARrkii > =uazZ > -----END PGP SIGNATURE----- > That was easy enough, thanks for your help Daniel. - Trey