[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 17 19:06:41 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com
> <mailto:dwalsh at redhat.com>> wrote:
>>
> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
>> Forwarding back to list. ---------- Forwarded message ----------
>> From: "Trey Dockendorf" <treydock at gmail.com
>> <mailto:treydock at gmail.com>> Date: Oct 17, 2011 10:06 AM Subject:
>> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
>> "Daniel J Walsh" <dwalsh at redhat.com <mailto:dwalsh at redhat.com>>
>
>
>
>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>> wrote:
>
>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
>>>>> I recently began getting periodic emails from SEalert that
>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>> access from the directory I store all my virtual machines
>>>>> for KVM.
>>>>>
>>>>> All VMs are stored under /vmstore , which is it's own
>>>>> mount point, and every file and folder under /vmstore
>>>>> currently has the correct context that was set by doing the
>>>>> following:
>>>>>
>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
>>>>> restorecon -R /vmstore
>>>>>
>>>>> So far I've noticed then when taking snapshots and also
>>>>> when using virsh to make changes to a domain's XML file.
>>>>> I haven't had any problems for the 3 or 4 months I've run
>>>>> this KVM server using SELinux on Enforcing, and so I'm not
>>>>> really sure what information is helpful to debug this. The
>>>>> server is CentOS 6 x86_64 updated to CR. This is the raw
>>>>> audit entry, (hostname removed)
>>>>>
>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
>>>>> name="/" dev=dm-2 ino=2
>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>>>> node=kvmhost.tld type=SYSCALL
>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138
>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>
>>>>> I've attached the alert email as a quote below, (hostname
>>>>> removed)
>>>>>
>>>>> Any help is greatly appreciated, I've had to deal little
>>>>> with SELinux fortunately, but at the moment am not really
>>>>> sure if my snapshots are actually functional or if this is
>>>>> just some false positive.
>>>>>
>>>>> Thanks - Trey
>>>>>
>>>>> Summary
>>>>>>
>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
>>>>>> access on /vmstore.
>>>>>>
>>>>>> Detailed Description
>>>>>>
>>>>>> SELinux denied access requested by qemu-kvm. It is not
>>>>>> expected that this
>>>>>>> access is required by qemu-kvm and this access may
>>>>>>> signal an intrusion attempt. It is also possible that
>>>>>>> the specific version or configuration of the
>>>>>>> application is causing it to require additional
>>>>>>> access.
>>>>>>
>>>>>> Allowing Access
>>>>>>
>>>>>> You can generate a local policy module to allow this
>>>>>> access - see FAQ
>>>>>>> Please file a bug report.
>>>>>>
>>>>>> Additional Information
>>>>>>
>>>>>> Source Context: system_u:system_r:svirt_t:s0:c772,c779
>>>>>>
>>>>>> Target Context: system_u:object_r:fs_t:s0
>>>>>>
>>>>>> Target Objects: /vmstore [ filesystem ]
>>>>>>
>>>>>> Source: qemu-kvm
>>>>>>
>>>>>> Source Path: /usr/libexec/qemu-kvm
>>>>>>
>>>>>> Port: <Unknown>
>>>>>>
>>>>>> Host: kvmhost.tld
>>>>>>
>>>>>> Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
>>>>>>
>>>>>> Target RPM Packages:
>>>>>>
>>>>>> Policy RPM: selinux-policy-3.7.19-93.el6_1.7
>>>>>>
>>>>>> Selinux Enabled: True
>>>>>>
>>>>>> Policy Type: targeted
>>>>>>
>>>>>> Enforcing Mode: Enforcing
>>>>>>
>>>>>> Plugin Name: catchall
>>>>>>
>>>>>> Host Name: kvmhost.tld
>>>>>>
>>>>>> Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64
>>>>>> #1 SMP Mon Jun 27
>>>>>>> 19:49:27 BST 2011 x86_64 x86_64
>>>>>>
>>>>>> Alert Count: 1
>>>>>>
>>>>>> First Seen: Fri Oct 14 18:20:50 2011
>>>>>>
>>>>>> Last Seen: Fri Oct 14 18:20:50 2011
>>>>>>
>>>>>> Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
>>>>>>
>>>>>> Line Numbers:
>>>>>>
>>>>>> Raw Audit Messages :
>>>>>>
>>>>>>
>>>>>>> node=kvmhost.tld type=AVC
>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr }
>>>>>>> for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2
>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
>>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>>>>>
>>>>>> node=kvmhost.tld type=SYSCALL
>>>>>> msg=audit(1318634450.285:28): arch=c000003e
>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
>>>>>>> ses=4294967295 comm="qemu-kvm"
>>>>>>> exe="/usr/libexec/qemu-kvm"
>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________ CentOS
>>>>> mailing list CentOS at centos.org <mailto:CentOS at centos.org>
>>>>> http://lists.centos.org/mailman/listinfo/centos
>
>
>> THis is a bug in policy. It can be allowed for now.
>
>> We have 6.2 selinux-policy preview package available on
>> http://people.redhat.com/dwalsh/SELinux/RHEL6
>
>> I believe all that is happening is qemu-kvm is noticing you have
>> a file system mounted, and doing a getattr on it.
>
>
>> Thanks for the help Dan. Is there something that could have
>> triggered this between 6.0 and 6.1? This server was updated to
>> 6.0 CR around the same time this began happening, so I want to
>> make sure if it's an issue in CR that I can file a useful bug
>> report.
>
>> When updating selinux-policy, do I have to update all the RPMs
>> listed or will that one package suffice?
>
>> Thanks - Trey _______________________________________________
>> CentOS mailing list CentOS at centos.org <mailto:CentOS at centos.org>
>> http://lists.centos.org/mailman/listinfo/centos
>
> Did you add additional file systems?
>
> Not after the upgrade. The same filesystems were in place using
> 6.0 and 6.0 CR. The only change was the upgrade to CR.
>
> - Trey
>
Well I have no idea. Anyways it is not a problem allowing this access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6cfMEACgkQrlYvE4MpobPg6wCg5YzlxAKeZ61E7EneEIkpw/A1
lNQAn073hud5trqccs4M5QeLI3vUMnD7
=rQB1
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list