[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots

Trey Dockendorf treydock at gmail.com
Mon Oct 17 18:09:14 UTC 2011 

On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> > Forwarding back to list. ---------- Forwarded message ----------
> > From: "Trey Dockendorf" <treydock at gmail.com> Date: Oct 17, 2011
> > 10:06 AM Subject: Re: [CentOS] SELinux triggered during Libvirt
> > snapshots To: "Daniel J Walsh" <dwalsh at redhat.com>
> >
> >
> >
> > On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh <dwalsh at redhat.com>
> > wrote:
> >
> > On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>> I recently began getting periodic emails from SEalert that
> >>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" access
> >>>> from the directory I store all my virtual machines for KVM.
> >>>>
> >>>> All VMs are stored under /vmstore , which is it's own mount
> >>>> point, and every file and folder under /vmstore currently has
> >>>> the correct context that was set by doing the following:
> >>>>
> >>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>> restorecon -R /vmstore
> >>>>
> >>>> So far I've noticed then when taking snapshots and also when
> >>>> using virsh to make changes to a domain's XML file.  I
> >>>> haven't had any problems for the 3 or 4 months I've run this
> >>>> KVM server using SELinux on Enforcing, and so I'm not really
> >>>> sure what information is helpful to debug this.  The server
> >>>> is CentOS 6 x86_64 updated to CR.  This is the raw audit
> >>>> entry, (hostname removed)
> >>>>
> >>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
> >>>> denied { getattr } for pid=1842 comm="qemu-kvm" name="/"
> >>>> dev=dm-2 ino=2
> >>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> >>>> node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
> >>>> arch=c000003e syscall=138 success=no exit=-13 a0=9
> >>>> a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107
> >>>> egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>
> >>>> I've attached the alert email as a quote below, (hostname
> >>>> removed)
> >>>>
> >>>> Any help is greatly appreciated, I've had to deal little
> >>>> with SELinux fortunately, but at the moment am not really
> >>>> sure if my snapshots are actually functional or if this is
> >>>> just some false positive.
> >>>>
> >>>> Thanks - Trey
> >>>>
> >>>> Summary
> >>>>>
> >>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>> access on /vmstore.
> >>>>>
> >>>>> Detailed Description
> >>>>>
> >>>>> SELinux denied access requested by qemu-kvm. It is not
> >>>>> expected that this
> >>>>>> access is required by qemu-kvm and this access may signal
> >>>>>> an intrusion attempt. It is also possible that the
> >>>>>> specific version or configuration of the application is
> >>>>>> causing it to require additional access.
> >>>>>
> >>>>> Allowing Access
> >>>>>
> >>>>> You can generate a local policy module to allow this access
> >>>>> - see FAQ
> >>>>>> Please file a bug report.
> >>>>>
> >>>>> Additional Information
> >>>>>
> >>>>> Source Context:   system_u:system_r:svirt_t:s0:c772,c779
> >>>>>
> >>>>> Target Context:   system_u:object_r:fs_t:s0
> >>>>>
> >>>>> Target Objects:   /vmstore [ filesystem ]
> >>>>>
> >>>>> Source:   qemu-kvm
> >>>>>
> >>>>> Source Path:   /usr/libexec/qemu-kvm
> >>>>>
> >>>>> Port:   <Unknown>
> >>>>>
> >>>>> Host:   kvmhost.tld
> >>>>>
> >>>>> Source RPM Packages:   qemu-kvm-0.12.1.2-2.160.el6_1.8
> >>>>>
> >>>>> Target RPM Packages:
> >>>>>
> >>>>> Policy RPM:   selinux-policy-3.7.19-93.el6_1.7
> >>>>>
> >>>>> Selinux Enabled:   True
> >>>>>
> >>>>> Policy Type:   targeted
> >>>>>
> >>>>> Enforcing Mode:   Enforcing
> >>>>>
> >>>>> Plugin Name:   catchall
> >>>>>
> >>>>> Host Name:   kvmhost.tld
> >>>>>
> >>>>> Platform:   Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1
> >>>>> SMP Mon Jun 27
> >>>>>> 19:49:27 BST 2011 x86_64 x86_64
> >>>>>
> >>>>> Alert Count:   1
> >>>>>
> >>>>> First Seen:   Fri Oct 14 18:20:50 2011
> >>>>>
> >>>>> Last Seen:   Fri Oct 14 18:20:50 2011
> >>>>>
> >>>>> Local ID:   c73c7440-06ee-4611-80ac-712207ef9aa6
> >>>>>
> >>>>> Line Numbers:
> >>>>>
> >>>>> Raw Audit Messages :
> >>>>>
> >>>>>
> >>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
> >>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
> >>>>>> name="/" dev=dm-2 ino=2
> >>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> >>>>>
> >>>>> node=kvmhost.tld type=SYSCALL
> >>>>> msg=audit(1318634450.285:28): arch=c000003e
> >>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> >>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
> >>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
> >>>>>> ses=4294967295 comm="qemu-kvm"
> >>>>>> exe="/usr/libexec/qemu-kvm"
> >>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>
> >>>>>
> >>>>>
> >>>> _______________________________________________ CentOS
> >>>> mailing list CentOS at centos.org
> >>>> http://lists.centos.org/mailman/listinfo/centos
> >
> >
> > THis is a bug in policy.  It can be allowed for now.
> >
> > We have 6.2 selinux-policy preview package available on
> > http://people.redhat.com/dwalsh/SELinux/RHEL6
> >
> > I believe all that is happening is qemu-kvm is noticing you have a
> > file system mounted, and doing a getattr on it.
> >>
> >
> > Thanks for the help Dan.  Is there something that could have
> > triggered this between 6.0 and 6.1?  This server was updated to 6.0
> > CR around the same time this began happening, so I want to make
> > sure if it's an issue in CR that I can file a useful bug report.
> >
> > When updating selinux-policy, do I have to update all the RPMs
> > listed or will that one package suffice?
> >
> > Thanks - Trey _______________________________________________
> > CentOS mailing list CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
>
> Did you add additional file systems?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6cSiMACgkQrlYvE4MpobM8WACeIGj1s81r3NQTCy4eJBJ2W2Py
> f7QAoLAE0M2iFxNh74f4L5hZx5O4GbpR
> =nO5+
> -----END PGP SIGNATURE-----

Not after the upgrade.  The same filesystems were in place using 6.0 and 6.0
CR.  The only change was the upgrade to CR.

- Trey

More information about the CentOS mailing list