[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots

Daniel J Walsh dwalsh at redhat.com
Mon Oct 17 15:30:43 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> Forwarding back to list. ---------- Forwarded message ---------- 
> From: "Trey Dockendorf" <treydock at gmail.com> Date: Oct 17, 2011
> 10:06 AM Subject: Re: [CentOS] SELinux triggered during Libvirt
> snapshots To: "Daniel J Walsh" <dwalsh at redhat.com>
> 
> 
> 
> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
> 
> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
>>>> I recently began getting periodic emails from SEalert that
>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access
>>>> from the directory I store all my virtual machines for KVM.
>>>> 
>>>> All VMs are stored under /vmstore , which is it's own mount
>>>> point, and every file and folder under /vmstore currently has
>>>> the correct context that was set by doing the following:
>>>> 
>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
>>>> restorecon -R /vmstore
>>>> 
>>>> So far I've noticed then when taking snapshots and also when
>>>> using virsh to make changes to a domain's XML file.  I
>>>> haven't had any problems for the 3 or 4 months I've run this
>>>> KVM server using SELinux on Enforcing, and so I'm not really
>>>> sure what information is helpful to debug this.  The server
>>>> is CentOS 6 x86_64 updated to CR.  This is the raw audit
>>>> entry, (hostname removed)
>>>> 
>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
>>>> denied { getattr } for pid=1842 comm="qemu-kvm" name="/"
>>>> dev=dm-2 ino=2 
>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 
>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 
>>>> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): 
>>>> arch=c000003e syscall=138 success=no exit=-13 a0=9
>>>> a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107
>>>> egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" 
>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>> 
>>>> I've attached the alert email as a quote below, (hostname
>>>> removed)
>>>> 
>>>> Any help is greatly appreciated, I've had to deal little
>>>> with SELinux fortunately, but at the moment am not really
>>>> sure if my snapshots are actually functional or if this is
>>>> just some false positive.
>>>> 
>>>> Thanks - Trey
>>>> 
>>>> Summary
>>>>> 
>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>> access on /vmstore.
>>>>> 
>>>>> Detailed Description
>>>>> 
>>>>> SELinux denied access requested by qemu-kvm. It is not
>>>>> expected that this
>>>>>> access is required by qemu-kvm and this access may signal
>>>>>> an intrusion attempt. It is also possible that the
>>>>>> specific version or configuration of the application is
>>>>>> causing it to require additional access.
>>>>> 
>>>>> Allowing Access
>>>>> 
>>>>> You can generate a local policy module to allow this access
>>>>> - see FAQ
>>>>>> Please file a bug report.
>>>>> 
>>>>> Additional Information
>>>>> 
>>>>> Source Context:   system_u:system_r:svirt_t:s0:c772,c779
>>>>> 
>>>>> Target Context:   system_u:object_r:fs_t:s0
>>>>> 
>>>>> Target Objects:   /vmstore [ filesystem ]
>>>>> 
>>>>> Source:   qemu-kvm
>>>>> 
>>>>> Source Path:   /usr/libexec/qemu-kvm
>>>>> 
>>>>> Port:   <Unknown>
>>>>> 
>>>>> Host:   kvmhost.tld
>>>>> 
>>>>> Source RPM Packages:   qemu-kvm-0.12.1.2-2.160.el6_1.8
>>>>> 
>>>>> Target RPM Packages:
>>>>> 
>>>>> Policy RPM:   selinux-policy-3.7.19-93.el6_1.7
>>>>> 
>>>>> Selinux Enabled:   True
>>>>> 
>>>>> Policy Type:   targeted
>>>>> 
>>>>> Enforcing Mode:   Enforcing
>>>>> 
>>>>> Plugin Name:   catchall
>>>>> 
>>>>> Host Name:   kvmhost.tld
>>>>> 
>>>>> Platform:   Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1
>>>>> SMP Mon Jun 27
>>>>>> 19:49:27 BST 2011 x86_64 x86_64
>>>>> 
>>>>> Alert Count:   1
>>>>> 
>>>>> First Seen:   Fri Oct 14 18:20:50 2011
>>>>> 
>>>>> Last Seen:   Fri Oct 14 18:20:50 2011
>>>>> 
>>>>> Local ID:   c73c7440-06ee-4611-80ac-712207ef9aa6
>>>>> 
>>>>> Line Numbers:
>>>>> 
>>>>> Raw Audit Messages :
>>>>> 
>>>>> 
>>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
>>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
>>>>>> name="/" dev=dm-2 ino=2
>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 
>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>>>> 
>>>>> node=kvmhost.tld type=SYSCALL
>>>>> msg=audit(1318634450.285:28): arch=c000003e
>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
>>>>>> ses=4294967295 comm="qemu-kvm" 
>>>>>> exe="/usr/libexec/qemu-kvm" 
>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>> 
>>>>> 
>>>>> 
>>>> _______________________________________________ CentOS
>>>> mailing list CentOS at centos.org 
>>>> http://lists.centos.org/mailman/listinfo/centos
> 
> 
> THis is a bug in policy.  It can be allowed for now.
> 
> We have 6.2 selinux-policy preview package available on 
> http://people.redhat.com/dwalsh/SELinux/RHEL6
> 
> I believe all that is happening is qemu-kvm is noticing you have a 
> file system mounted, and doing a getattr on it.
>> 
> 
> Thanks for the help Dan.  Is there something that could have
> triggered this between 6.0 and 6.1?  This server was updated to 6.0
> CR around the same time this began happening, so I want to make
> sure if it's an issue in CR that I can file a useful bug report.
> 
> When updating selinux-policy, do I have to update all the RPMs
> listed or will that one package suffice?
> 
> Thanks - Trey _______________________________________________ 
> CentOS mailing list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos

Did you add additional file systems?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6cSiMACgkQrlYvE4MpobM8WACeIGj1s81r3NQTCy4eJBJ2W2Py
f7QAoLAE0M2iFxNh74f4L5hZx5O4GbpR
=nO5+
-----END PGP SIGNATURE-----



More information about the CentOS mailing list