[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots

Tue Oct 18 12:30:18 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2011 03:40 PM, Trey Dockendorf wrote:
> 
> On Oct 17, 2011 2:06 PM, "Daniel J Walsh" <dwalsh at redhat.com 
> <mailto:dwalsh at redhat.com>> wrote:
>> 
> On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
>> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com 
>> <mailto:dwalsh at redhat.com> <mailto:dwalsh at redhat.com
>> <mailto:dwalsh at redhat.com>>> wrote:
> 
>> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
>>> Forwarding back to list. ---------- Forwarded message
>>> ---------- From: "Trey Dockendorf" <treydock at gmail.com
>>> <mailto:treydock at gmail.com> <mailto:treydock at gmail.com
>>> <mailto:treydock at gmail.com>>> Date: Oct
>> 17, 2011 10:06 AM Subject:
>>> Re: [CentOS] SELinux triggered during Libvirt snapshots To: 
>>> "Daniel J Walsh" <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>>
> 
> 
> 
>>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh 
>>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
>> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote:
> 
>>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
>>>>>> I recently began getting periodic emails from SEalert
>>>>>> that SELinux is preventing /usr/libexec/qemu-kvm
>>>>>> "getattr" access from the directory I store all my
>>>>>> virtual machines for KVM.
>>>>>> 
>>>>>> All VMs are stored under /vmstore , which is it's own 
>>>>>> mount point, and every file and folder under /vmstore 
>>>>>> currently has the correct context that was set by doing
>>>>>> the following:
>>>>>> 
>>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?" 
>>>>>> restorecon -R /vmstore
>>>>>> 
>>>>>> So far I've noticed then when taking snapshots and also 
>>>>>> when using virsh to make changes to a domain's XML file. 
>>>>>> I haven't had any problems for the 3 or 4 months I've
>>>>>> run this KVM server using SELinux on Enforcing, and so
>>>>>> I'm not really sure what information is helpful to debug
>>>>>> this.  The server is CentOS 6 x86_64 updated to CR.  This
>>>>>> is the raw audit entry, (hostname removed)
>>>>>> 
>>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): 
>>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm" 
>>>>>> name="/" dev=dm-2 ino=2 
>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 
>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 
>>>>>> node=kvmhost.tld type=SYSCALL 
>>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138 
>>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 
>>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 
>>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 
>>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295 
>>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" 
>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
>>>>>> 
>>>>>> I've attached the alert email as a quote below,
>>>>>> (hostname removed)
>>>>>> 
>>>>>> Any help is greatly appreciated, I've had to deal little 
>>>>>> with SELinux fortunately, but at the moment am not
>>>>>> really sure if my snapshots are actually functional or if
>>>>>> this is just some false positive.
>>>>>> 
>>>>>> Thanks - Trey
>>>>>> 
>>>>>> Summary
>>>>>>> 
>>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr" 
>>>>>>> access on /vmstore.
>>>>>>> 
>>>>>>> Detailed Description
>>>>>>> 
>>>>>>> SELinux denied access requested by qemu-kvm. It is not 
>>>>>>> expected that this
>>>>>>>> access is required by qemu-kvm and this access may 
>>>>>>>> signal an intrusion attempt. It is also possible
>>>>>>>> that the specific version or configuration of the 
>>>>>>>> application is causing it to require additional 
>>>>>>>> access.
>>>>>>> 
>>>>>>> Allowing Access
>>>>>>> 
>>>>>>> You can generate a local policy module to allow this 
>>>>>>> access - see FAQ
>>>>>>>> Please file a bug report.
>>>>>>> 
>>>>>>> Additional Information
>>>>>>> 
>>>>>>> Source Context:
>>>>>>> system_u:system_r:svirt_t:s0:c772,c779
>>>>>>> 
>>>>>>> Target Context:   system_u:object_r:fs_t:s0
>>>>>>> 
>>>>>>> Target Objects:   /vmstore [ filesystem ]
>>>>>>> 
>>>>>>> Source:   qemu-kvm
>>>>>>> 
>>>>>>> Source Path:   /usr/libexec/qemu-kvm
>>>>>>> 
>>>>>>> Port:   <Unknown>
>>>>>>> 
>>>>>>> Host:   kvmhost.tld
>>>>>>> 
>>>>>>> Source RPM Packages:   qemu-kvm-0.12.1.2-2.160.el6_1.8
>>>>>>> 
>>>>>>> Target RPM Packages:
>>>>>>> 
>>>>>>> Policy RPM:   selinux-policy-3.7.19-93.el6_1.7
>>>>>>> 
>>>>>>> Selinux Enabled:   True
>>>>>>> 
>>>>>>> Policy Type:   targeted
>>>>>>> 
>>>>>>> Enforcing Mode:   Enforcing
>>>>>>> 
>>>>>>> Plugin Name:   catchall
>>>>>>> 
>>>>>>> Host Name:   kvmhost.tld
>>>>>>> 
>>>>>>> Platform:   Linux kvmhost.tld
>>>>>>> 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
>>>>>>>> 19:49:27 BST 2011 x86_64 x86_64
>>>>>>> 
>>>>>>> Alert Count:   1
>>>>>>> 
>>>>>>> First Seen:   Fri Oct 14 18:20:50 2011
>>>>>>> 
>>>>>>> Last Seen:   Fri Oct 14 18:20:50 2011
>>>>>>> 
>>>>>>> Local ID:   c73c7440-06ee-4611-80ac-712207ef9aa6
>>>>>>> 
>>>>>>> Line Numbers:
>>>>>>> 
>>>>>>> Raw Audit Messages :
>>>>>>> 
>>>>>>> 
>>>>>>>> node=kvmhost.tld type=AVC 
>>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr
>>>>>>>> } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2
>>>>>>>> ino=2 
>>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779 
>>>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>>>>>>> 
>>>>>>> node=kvmhost.tld type=SYSCALL 
>>>>>>> msg=audit(1318634450.285:28): arch=c000003e
>>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 
>>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 
>>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107 
>>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) 
>>>>>>>> ses=4294967295 comm="qemu-kvm" 
>>>>>>>> exe="/usr/libexec/qemu-kvm" 
>>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779
>>>>>>>> key=(null)
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> _______________________________________________ CentOS 
>>>>>> mailing list CentOS at centos.org
>>>>>> <mailto:CentOS at centos.org>
>> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>>
>>>>>> http://lists.centos.org/mailman/listinfo/centos
> 
> 
>>> THis is a bug in policy.  It can be allowed for now.
> 
>>> We have 6.2 selinux-policy preview package available on 
>>> http://people.redhat.com/dwalsh/SELinux/RHEL6
> 
>>> I believe all that is happening is qemu-kvm is noticing you
>>> have a file system mounted, and doing a getattr on it.
> 
> 
>>> Thanks for the help Dan.  Is there something that could have 
>>> triggered this between 6.0 and 6.1?  This server was updated
>>> to 6.0 CR around the same time this began happening, so I want
>>> to make sure if it's an issue in CR that I can file a useful
>>> bug report.
> 
>>> When updating selinux-policy, do I have to update all the RPMs 
>>> listed or will that one package suffice?
> 
>>> Thanks - Trey _______________________________________________ 
>>> CentOS mailing list CentOS at centos.org
>>> <mailto:CentOS at centos.org>
>> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>>
>>> http://lists.centos.org/mailman/listinfo/centos
> 
>> Did you add additional file systems?
> 
>> Not after the upgrade.  The same filesystems were in place using 
>> 6.0 and 6.0 CR.  The only change was the upgrade to CR.
> 
>> - Trey
> 
> 
> Well I have no idea.  Anyways it is not a problem allowing this
> access.
> 
> What do I have to do to allow that access?  Or should I update to
> the selinux-policy you linked ?  Ive had little in the way of
> experience with selinux so this is all new.
> 
> Thanks - Trey
> 

You can allow it by executing the following as root.

# grep svirt /var/log/audit/audit.log | audit2allow -M mysvirt
# semodule -i mysvirt.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6dcVYACgkQrlYvE4MpobPduQCfZyY00S+74FBlLFqsBbk5bX5R
YKIAnjM+/Gb2H7BUgqKbn6xPVJARrkii
=uazZ
-----END PGP SIGNATURE-----