[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots

Wed Oct 19 15:06:38 UTC 2011
Trey Dockendorf <treydock at gmail.com>

On Tue, Oct 18, 2011 at 7:30 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/17/2011 03:40 PM, Trey Dockendorf wrote:
> >
> > On Oct 17, 2011 2:06 PM, "Daniel J Walsh" <dwalsh at redhat.com
> > <mailto:dwalsh at redhat.com>> wrote:
> >>
> > On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
> >> On Oct 17, 2011 10:30 AM, "Daniel J Walsh" <dwalsh at redhat.com
> >> <mailto:dwalsh at redhat.com> <mailto:dwalsh at redhat.com
> >> <mailto:dwalsh at redhat.com>>> wrote:
> >
> >> On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
> >>> Forwarding back to list. ---------- Forwarded message
> >>> ---------- From: "Trey Dockendorf" <treydock at gmail.com
> >>> <mailto:treydock at gmail.com> <mailto:treydock at gmail.com
> >>> <mailto:treydock at gmail.com>>> Date: Oct
> >> 17, 2011 10:06 AM Subject:
> >>> Re: [CentOS] SELinux triggered during Libvirt snapshots To:
> >>> "Daniel J Walsh" <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
> >> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>>
> >
> >
> >
> >>> On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
> >>> <dwalsh at redhat.com <mailto:dwalsh at redhat.com>
> >> <mailto:dwalsh at redhat.com <mailto:dwalsh at redhat.com>>> wrote:
> >
> >>> On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
> >>>>>> I recently began getting periodic emails from SEalert
> >>>>>> that SELinux is preventing /usr/libexec/qemu-kvm
> >>>>>> "getattr" access from the directory I store all my
> >>>>>> virtual machines for KVM.
> >>>>>>
> >>>>>> All VMs are stored under /vmstore , which is it's own
> >>>>>> mount point, and every file and folder under /vmstore
> >>>>>> currently has the correct context that was set by doing
> >>>>>> the following:
> >>>>>>
> >>>>>> semanage fcontext -a -t virt_image_t "/vmstore(/.*)?"
> >>>>>> restorecon -R /vmstore
> >>>>>>
> >>>>>> So far I've noticed then when taking snapshots and also
> >>>>>> when using virsh to make changes to a domain's XML file.
> >>>>>> I haven't had any problems for the 3 or 4 months I've
> >>>>>> run this KVM server using SELinux on Enforcing, and so
> >>>>>> I'm not really sure what information is helpful to debug
> >>>>>> this.  The server is CentOS 6 x86_64 updated to CR.  This
> >>>>>> is the raw audit entry, (hostname removed)
> >>>>>>
> >>>>>> node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
> >>>>>> avc: denied { getattr } for pid=1842 comm="qemu-kvm"
> >>>>>> name="/" dev=dm-2 ino=2
> >>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> >>>>>> node=kvmhost.tld type=SYSCALL
> >>>>>> msg=audit(1318634450.285:28): arch=c000003e syscall=138
> >>>>>> success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
> >>>>>> a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
> >>>>>> uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
> >>>>>> sgid=107 fsgid=107 tty=(none) ses=4294967295
> >>>>>> comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
> >>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
> >>>>>>
> >>>>>> I've attached the alert email as a quote below,
> >>>>>> (hostname removed)
> >>>>>>
> >>>>>> Any help is greatly appreciated, I've had to deal little
> >>>>>> with SELinux fortunately, but at the moment am not
> >>>>>> really sure if my snapshots are actually functional or if
> >>>>>> this is just some false positive.
> >>>>>>
> >>>>>> Thanks - Trey
> >>>>>>
> >>>>>> Summary
> >>>>>>>
> >>>>>>> SELinux is preventing /usr/libexec/qemu-kvm "getattr"
> >>>>>>> access on /vmstore.
> >>>>>>>
> >>>>>>> Detailed Description
> >>>>>>>
> >>>>>>> SELinux denied access requested by qemu-kvm. It is not
> >>>>>>> expected that this
> >>>>>>>> access is required by qemu-kvm and this access may
> >>>>>>>> signal an intrusion attempt. It is also possible
> >>>>>>>> that the specific version or configuration of the
> >>>>>>>> application is causing it to require additional
> >>>>>>>> access.
> >>>>>>>
> >>>>>>> Allowing Access
> >>>>>>>
> >>>>>>> You can generate a local policy module to allow this
> >>>>>>> access - see FAQ
> >>>>>>>> Please file a bug report.
> >>>>>>>
> >>>>>>> Additional Information
> >>>>>>>
> >>>>>>> Source Context:
> >>>>>>> system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>>
> >>>>>>> Target Context:   system_u:object_r:fs_t:s0
> >>>>>>>
> >>>>>>> Target Objects:   /vmstore [ filesystem ]
> >>>>>>>
> >>>>>>> Source:   qemu-kvm
> >>>>>>>
> >>>>>>> Source Path:   /usr/libexec/qemu-kvm
> >>>>>>>
> >>>>>>> Port:   <Unknown>
> >>>>>>>
> >>>>>>> Host:   kvmhost.tld
> >>>>>>>
> >>>>>>> Source RPM Packages:   qemu-kvm-0.12.1.2-2.160.el6_1.8
> >>>>>>>
> >>>>>>> Target RPM Packages:
> >>>>>>>
> >>>>>>> Policy RPM:   selinux-policy-3.7.19-93.el6_1.7
> >>>>>>>
> >>>>>>> Selinux Enabled:   True
> >>>>>>>
> >>>>>>> Policy Type:   targeted
> >>>>>>>
> >>>>>>> Enforcing Mode:   Enforcing
> >>>>>>>
> >>>>>>> Plugin Name:   catchall
> >>>>>>>
> >>>>>>> Host Name:   kvmhost.tld
> >>>>>>>
> >>>>>>> Platform:   Linux kvmhost.tld
> >>>>>>> 2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
> >>>>>>>> 19:49:27 BST 2011 x86_64 x86_64
> >>>>>>>
> >>>>>>> Alert Count:   1
> >>>>>>>
> >>>>>>> First Seen:   Fri Oct 14 18:20:50 2011
> >>>>>>>
> >>>>>>> Last Seen:   Fri Oct 14 18:20:50 2011
> >>>>>>>
> >>>>>>> Local ID:   c73c7440-06ee-4611-80ac-712207ef9aa6
> >>>>>>>
> >>>>>>> Line Numbers:
> >>>>>>>
> >>>>>>> Raw Audit Messages :
> >>>>>>>
> >>>>>>>
> >>>>>>>> node=kvmhost.tld type=AVC
> >>>>>>>> msg=audit(1318634450.285:28): avc: denied { getattr
> >>>>>>>> } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2
> >>>>>>>> ino=2
> >>>>>>>> scontext=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> >>>>>>>
> >>>>>>> node=kvmhost.tld type=SYSCALL
> >>>>>>> msg=audit(1318634450.285:28): arch=c000003e
> >>>>>>>> syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
> >>>>>>>> a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
> >>>>>>>> auid=4294967295 uid=107 gid=107 euid=107 suid=107
> >>>>>>>> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
> >>>>>>>> ses=4294967295 comm="qemu-kvm"
> >>>>>>>> exe="/usr/libexec/qemu-kvm"
> >>>>>>>> subj=system_u:system_r:svirt_t:s0:c772,c779
> >>>>>>>> key=(null)
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> _______________________________________________ CentOS
> >>>>>> mailing list CentOS at centos.org
> >>>>>> <mailto:CentOS at centos.org>
> >> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>>
> >>>>>> http://lists.centos.org/mailman/listinfo/centos
> >
> >
> >>> THis is a bug in policy.  It can be allowed for now.
> >
> >>> We have 6.2 selinux-policy preview package available on
> >>> http://people.redhat.com/dwalsh/SELinux/RHEL6
> >
> >>> I believe all that is happening is qemu-kvm is noticing you
> >>> have a file system mounted, and doing a getattr on it.
> >
> >
> >>> Thanks for the help Dan.  Is there something that could have
> >>> triggered this between 6.0 and 6.1?  This server was updated
> >>> to 6.0 CR around the same time this began happening, so I want
> >>> to make sure if it's an issue in CR that I can file a useful
> >>> bug report.
> >
> >>> When updating selinux-policy, do I have to update all the RPMs
> >>> listed or will that one package suffice?
> >
> >>> Thanks - Trey _______________________________________________
> >>> CentOS mailing list CentOS at centos.org
> >>> <mailto:CentOS at centos.org>
> >> <mailto:CentOS at centos.org <mailto:CentOS at centos.org>>
> >>> http://lists.centos.org/mailman/listinfo/centos
> >
> >> Did you add additional file systems?
> >
> >> Not after the upgrade.  The same filesystems were in place using
> >> 6.0 and 6.0 CR.  The only change was the upgrade to CR.
> >
> >> - Trey
> >
> >
> > Well I have no idea.  Anyways it is not a problem allowing this
> > access.
> >
> > What do I have to do to allow that access?  Or should I update to
> > the selinux-policy you linked ?  Ive had little in the way of
> > experience with selinux so this is all new.
> >
> > Thanks - Trey
> >
>
> You can allow it by executing the following as root.
>
> # grep svirt /var/log/audit/audit.log | audit2allow -M mysvirt
> # semodule -i mysvirt.pp
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6dcVYACgkQrlYvE4MpobPduQCfZyY00S+74FBlLFqsBbk5bX5R
> YKIAnjM+/Gb2H7BUgqKbn6xPVJARrkii
> =uazZ
> -----END PGP SIGNATURE-----
>

That was easy enough, thanks for your help Daniel.

- Trey