Re: Openstack and file injection

Tue, 13 Nov 2012 07:01:30 -0800 

On 11/13/2012 02:28 PM, Belmiro Moreira wrote:

Hi Pádraig,
thank you for your quick answer and suggestions.

After some investigation I discovered that guestfs fails to mount the image 
because selinux:

type=AVC msg=audit(1352816002.979:249317): avc:  denied  { read } for pid=2806 
comm="qemu-kvm" name="disk" dev=dm-3 ino=656740 
scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1352816002.979:249317): arch=c000003e syscall=2 success=no exit=-13 
a0=7fae966dbc20 a1=800 a2=0 a3=65636e6174736e69 items=0 ppid=2797 pid=2806 auid=0 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=19511 comm="qemu-kvm" 
exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1352816002.980:249318): avc:  denied  { getattr } for  pid=2806 
comm="qemu-kvm" path="/var/lib/nova/instances/instance-000000a7/disk" dev=dm-3 
ino=656740 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1352816002.980:249318): arch=c000003e syscall=4 success=no exit=-13 
a0=7fae966dbc20 a1=7fffedb37730 a2=7fffedb37730 a3=65636e6174736e69 items=0 ppid=2797 pid=2806 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=19511 
comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" 
subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1352816002.980:249319): avc:  denied  { read } for pid=2806 
comm="qemu-kvm" name="disk" dev=dm-3 ino=656740 
scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=file

Disabling selinux it works fine.

Should I open a bug for this?


Probably. Let's get details first.
Can you renable SElinux, and then:

  setsebool -P allow_unconfined_qemu_transition 0

Does that minimal SELinux relaxation allow libguestfs to work?

thanks,
Pǽdraig.
_______________________________________________
cloud mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/cloud

Reply via email to