Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
On Tue, Oct 18, 2011 at 7:30 AM, Daniel J Walsh dwa...@redhat.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/17/2011 03:40 PM, Trey Dockendorf wrote:
On Oct 17, 2011 2:06 PM, Daniel J Walsh dwa...@redhat.com
mailto:dwa...@redhat.com wrote:
On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
On Oct 17, 2011 10:30 AM, Daniel J Walsh dwa...@redhat.com
mailto:dwa...@redhat.com mailto:dwa...@redhat.com
mailto:dwa...@redhat.com wrote:
On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
Forwarding back to list. -- Forwarded message
-- From: Trey Dockendorf treyd...@gmail.com
mailto:treyd...@gmail.com mailto:treyd...@gmail.com
mailto:treyd...@gmail.com Date: Oct
17, 2011 10:06 AM Subject:
Re: [CentOS] SELinux triggered during Libvirt snapshots To:
Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com
mailto:dwa...@redhat.com mailto:dwa...@redhat.com
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
dwa...@redhat.com mailto:dwa...@redhat.com
mailto:dwa...@redhat.com mailto:dwa...@redhat.com wrote:
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert
that SELinux is preventing /usr/libexec/qemu-kvm
getattr access from the directory I store all my
virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own
mount point, and every file and folder under /vmstore
currently has the correct context that was set by doing
the following:
semanage fcontext -a -t virt_image_t /vmstore(/.*)?
restorecon -R /vmstore
So far I've noticed then when taking snapshots and also
when using virsh to make changes to a domain's XML file.
I haven't had any problems for the 3 or 4 months I've
run this KVM server using SELinux on Enforcing, and so
I'm not really sure what information is helpful to debug
this. The server is CentOS 6 x86_64 updated to CR. This
is the raw audit entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
avc: denied { getattr } for pid=1842 comm=qemu-kvm
name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e syscall=138
success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
sgid=107 fsgid=107 tty=(none) ses=4294967295
comm=qemu-kvm exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below,
(hostname removed)
Any help is greatly appreciated, I've had to deal little
with SELinux fortunately, but at the moment am not
really sure if my snapshots are actually functional or if
this is just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm getattr
access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not
expected that this
access is required by qemu-kvm and this access may
signal an intrusion attempt. It is also possible
that the specific version or configuration of the
application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this
access - see FAQ
Please file a bug report.
Additional Information
Source Context:
system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: Unknown
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld
2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC
msg=audit(1318634450.285:28): avc: denied { getattr
} for pid=1842 comm=qemu-kvm name=/ dev=dm-2
ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107
fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779
key=(null)
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/17/2011 03:40 PM, Trey Dockendorf wrote:
On Oct 17, 2011 2:06 PM, Daniel J Walsh dwa...@redhat.com
mailto:dwa...@redhat.com wrote:
On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
On Oct 17, 2011 10:30 AM, Daniel J Walsh dwa...@redhat.com
mailto:dwa...@redhat.com mailto:dwa...@redhat.com
mailto:dwa...@redhat.com wrote:
On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
Forwarding back to list. -- Forwarded message
-- From: Trey Dockendorf treyd...@gmail.com
mailto:treyd...@gmail.com mailto:treyd...@gmail.com
mailto:treyd...@gmail.com Date: Oct
17, 2011 10:06 AM Subject:
Re: [CentOS] SELinux triggered during Libvirt snapshots To:
Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com
mailto:dwa...@redhat.com mailto:dwa...@redhat.com
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
dwa...@redhat.com mailto:dwa...@redhat.com
mailto:dwa...@redhat.com mailto:dwa...@redhat.com wrote:
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert
that SELinux is preventing /usr/libexec/qemu-kvm
getattr access from the directory I store all my
virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own
mount point, and every file and folder under /vmstore
currently has the correct context that was set by doing
the following:
semanage fcontext -a -t virt_image_t /vmstore(/.*)?
restorecon -R /vmstore
So far I've noticed then when taking snapshots and also
when using virsh to make changes to a domain's XML file.
I haven't had any problems for the 3 or 4 months I've
run this KVM server using SELinux on Enforcing, and so
I'm not really sure what information is helpful to debug
this. The server is CentOS 6 x86_64 updated to CR. This
is the raw audit entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
avc: denied { getattr } for pid=1842 comm=qemu-kvm
name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e syscall=138
success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
sgid=107 fsgid=107 tty=(none) ses=4294967295
comm=qemu-kvm exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below,
(hostname removed)
Any help is greatly appreciated, I've had to deal little
with SELinux fortunately, but at the moment am not
really sure if my snapshots are actually functional or if
this is just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm getattr
access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not
expected that this
access is required by qemu-kvm and this access may
signal an intrusion attempt. It is also possible
that the specific version or configuration of the
application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this
access - see FAQ
Please file a bug report.
Additional Information
Source Context:
system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: Unknown
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld
2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC
msg=audit(1318634450.285:28): avc: denied { getattr
} for pid=1842 comm=qemu-kvm name=/ dev=dm-2
ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107
fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779
key=(null)
___ CentOS
mailing list CentOS@centos.org
mailto:CentOS@centos.org
mailto:CentOS@centos.org
[CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
Forwarding back to list.
-- Forwarded message --
From: Trey Dockendorf treyd...@gmail.com
Date: Oct 17, 2011 10:06 AM
Subject: Re: [CentOS] SELinux triggered during Libvirt snapshots
To: Daniel J Walsh dwa...@redhat.com
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh dwa...@redhat.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert that SELinux
is preventing /usr/libexec/qemu-kvm getattr access from the
directory I store all my virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own mount point,
and every file and folder under /vmstore currently has the correct
context that was set by doing the following:
semanage fcontext -a -t virt_image_t /vmstore(/.*)? restorecon -R
/vmstore
So far I've noticed then when taking snapshots and also when using
virsh to make changes to a domain's XML file. I haven't had any
problems for the 3 or 4 months I've run this KVM server using
SELinux on Enforcing, and so I'm not really sure what information
is helpful to debug this. The server is CentOS 6 x86_64 updated to
CR. This is the raw audit entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied
{ getattr } for pid=1842 comm=qemu-kvm name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
arch=c03e syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107
fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname removed)
Any help is greatly appreciated, I've had to deal little with
SELinux fortunately, but at the moment am not really sure if my
snapshots are actually functional or if this is just some false
positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm getattr access on
/vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not expected
that this
access is required by qemu-kvm and this access may signal an
intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
FAQ
Please file a bug report.
Additional Information
Source Context: system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: Unknown
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1 SMP
Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
denied { getattr } for pid=1842 comm=qemu-kvm name=/
dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107
gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107
tty=(none) ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
___ CentOS mailing
list CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
THis is a bug in policy. It can be allowed for now.
We have 6.2 selinux-policy preview package available on
http://people.redhat.com/dwalsh/SELinux/RHEL6
I believe all that is happening is qemu-kvm is noticing you have a
file system mounted, and doing a getattr on it.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6cI/8ACgkQrlYvE4MpobM6/QCg1qs8iK+dVRsPNVB+QXgr0zEN
+EMAnAghOHYB4INQ/NH1D4i9k3uJD7Ob
=TfIB
-END PGP SIGNATURE-
Thanks for the help Dan. Is there something that
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
Forwarding back to list. -- Forwarded message --
From: Trey Dockendorf treyd...@gmail.com Date: Oct 17, 2011
10:06 AM Subject: Re: [CentOS] SELinux triggered during Libvirt
snapshots To: Daniel J Walsh dwa...@redhat.com
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh dwa...@redhat.com
wrote:
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert that
SELinux is preventing /usr/libexec/qemu-kvm getattr access
from the directory I store all my virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own mount
point, and every file and folder under /vmstore currently has
the correct context that was set by doing the following:
semanage fcontext -a -t virt_image_t /vmstore(/.*)?
restorecon -R /vmstore
So far I've noticed then when taking snapshots and also when
using virsh to make changes to a domain's XML file. I
haven't had any problems for the 3 or 4 months I've run this
KVM server using SELinux on Enforcing, and so I'm not really
sure what information is helpful to debug this. The server
is CentOS 6 x86_64 updated to CR. This is the raw audit
entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
denied { getattr } for pid=1842 comm=qemu-kvm name=/
dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
arch=c03e syscall=138 success=no exit=-13 a0=9
a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107
egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
comm=qemu-kvm exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname
removed)
Any help is greatly appreciated, I've had to deal little
with SELinux fortunately, but at the moment am not really
sure if my snapshots are actually functional or if this is
just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm getattr
access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not
expected that this
access is required by qemu-kvm and this access may signal
an intrusion attempt. It is also possible that the
specific version or configuration of the application is
causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access
- see FAQ
Please file a bug report.
Additional Information
Source Context: system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: Unknown
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1
SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
avc: denied { getattr } for pid=1842 comm=qemu-kvm
name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107
fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
___ CentOS
mailing list CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
THis is a bug in policy. It can be allowed for now.
We have 6.2 selinux-policy preview package available on
http://people.redhat.com/dwalsh/SELinux/RHEL6
I believe all that is happening is qemu-kvm is noticing you have a
file system mounted, and doing a getattr on it.
Thanks for the help Dan. Is there something that could have
triggered this between 6.0 and 6.1? This server was updated to 6.0
CR around the same time this began happening, so I want to make
sure if it's an issue in CR that I can file a useful bug report.
When updating selinux-policy, do I have to update all the RPMs
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
On Oct 17, 2011 10:30 AM, Daniel J Walsh dwa...@redhat.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
Forwarding back to list. -- Forwarded message --
From: Trey Dockendorf treyd...@gmail.com Date: Oct 17, 2011
10:06 AM Subject: Re: [CentOS] SELinux triggered during Libvirt
snapshots To: Daniel J Walsh dwa...@redhat.com
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh dwa...@redhat.com
wrote:
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert that
SELinux is preventing /usr/libexec/qemu-kvm getattr access
from the directory I store all my virtual machines for KVM.
All VMs are stored under /vmstore , which is it's own mount
point, and every file and folder under /vmstore currently has
the correct context that was set by doing the following:
semanage fcontext -a -t virt_image_t /vmstore(/.*)?
restorecon -R /vmstore
So far I've noticed then when taking snapshots and also when
using virsh to make changes to a domain's XML file. I
haven't had any problems for the 3 or 4 months I've run this
KVM server using SELinux on Enforcing, and so I'm not really
sure what information is helpful to debug this. The server
is CentOS 6 x86_64 updated to CR. This is the raw audit
entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc:
denied { getattr } for pid=1842 comm=qemu-kvm name=/
dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28):
arch=c03e syscall=138 success=no exit=-13 a0=9
a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107
egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
comm=qemu-kvm exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname
removed)
Any help is greatly appreciated, I've had to deal little
with SELinux fortunately, but at the moment am not really
sure if my snapshots are actually functional or if this is
just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm getattr
access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not
expected that this
access is required by qemu-kvm and this access may signal
an intrusion attempt. It is also possible that the
specific version or configuration of the application is
causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access
- see FAQ
Please file a bug report.
Additional Information
Source Context: system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: Unknown
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64 #1
SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
avc: denied { getattr } for pid=1842 comm=qemu-kvm
name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107
fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
___ CentOS
mailing list CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
THis is a bug in policy. It can be allowed for now.
We have 6.2 selinux-policy preview package available on
http://people.redhat.com/dwalsh/SELinux/RHEL6
I believe all that is happening is qemu-kvm is noticing you have a
file system mounted, and doing a getattr on it.
Thanks for the help Dan. Is there something that could have
triggered this between 6.0 and 6.1? This server was updated to 6.0
CR around the same time this
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
On Oct 17, 2011 10:30 AM, Daniel J Walsh dwa...@redhat.com
mailto:dwa...@redhat.com wrote:
On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
Forwarding back to list. -- Forwarded message --
From: Trey Dockendorf treyd...@gmail.com
mailto:treyd...@gmail.com Date: Oct 17, 2011 10:06 AM Subject:
Re: [CentOS] SELinux triggered during Libvirt snapshots To:
Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
dwa...@redhat.com mailto:dwa...@redhat.com wrote:
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert that
SELinux is preventing /usr/libexec/qemu-kvm getattr
access from the directory I store all my virtual machines
for KVM.
All VMs are stored under /vmstore , which is it's own
mount point, and every file and folder under /vmstore
currently has the correct context that was set by doing the
following:
semanage fcontext -a -t virt_image_t /vmstore(/.*)?
restorecon -R /vmstore
So far I've noticed then when taking snapshots and also
when using virsh to make changes to a domain's XML file.
I haven't had any problems for the 3 or 4 months I've run
this KVM server using SELinux on Enforcing, and so I'm not
really sure what information is helpful to debug this. The
server is CentOS 6 x86_64 updated to CR. This is the raw
audit entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
avc: denied { getattr } for pid=1842 comm=qemu-kvm
name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e syscall=138
success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
sgid=107 fsgid=107 tty=(none) ses=4294967295
comm=qemu-kvm exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname
removed)
Any help is greatly appreciated, I've had to deal little
with SELinux fortunately, but at the moment am not really
sure if my snapshots are actually functional or if this is
just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm getattr
access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not
expected that this
access is required by qemu-kvm and this access may
signal an intrusion attempt. It is also possible that
the specific version or configuration of the
application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this
access - see FAQ
Please file a bug report.
Additional Information
Source Context: system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: Unknown
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64
#1 SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC
msg=audit(1318634450.285:28): avc: denied { getattr }
for pid=1842 comm=qemu-kvm name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107
fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
___ CentOS
mailing list CentOS@centos.org mailto:CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
THis is a bug in policy. It can be allowed for now.
We have 6.2 selinux-policy preview package available on
http://people.redhat.com/dwalsh/SELinux/RHEL6
I believe all that is happening is qemu-kvm is noticing you have
a file system mounted, and doing a getattr on it.
Thanks for the help Dan. Is there something that could have
Re: [CentOS] Fwd: Re: SELinux triggered during Libvirt snapshots
On Oct 17, 2011 2:06 PM, Daniel J Walsh dwa...@redhat.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/17/2011 02:09 PM, Trey Dockendorf wrote:
On Oct 17, 2011 10:30 AM, Daniel J Walsh dwa...@redhat.com
mailto:dwa...@redhat.com wrote:
On 10/17/2011 11:19 AM, Trey Dockendorf wrote:
Forwarding back to list. -- Forwarded message --
From: Trey Dockendorf treyd...@gmail.com
mailto:treyd...@gmail.com Date: Oct 17, 2011 10:06 AM Subject:
Re: [CentOS] SELinux triggered during Libvirt snapshots To:
Daniel J Walsh dwa...@redhat.com mailto:dwa...@redhat.com
On Mon, Oct 17, 2011 at 7:47 AM, Daniel J Walsh
dwa...@redhat.com mailto:dwa...@redhat.com wrote:
On 10/14/2011 08:17 PM, Trey Dockendorf wrote:
I recently began getting periodic emails from SEalert that
SELinux is preventing /usr/libexec/qemu-kvm getattr
access from the directory I store all my virtual machines
for KVM.
All VMs are stored under /vmstore , which is it's own
mount point, and every file and folder under /vmstore
currently has the correct context that was set by doing the
following:
semanage fcontext -a -t virt_image_t /vmstore(/.*)?
restorecon -R /vmstore
So far I've noticed then when taking snapshots and also
when using virsh to make changes to a domain's XML file.
I haven't had any problems for the 3 or 4 months I've run
this KVM server using SELinux on Enforcing, and so I'm not
really sure what information is helpful to debug this. The
server is CentOS 6 x86_64 updated to CR. This is the raw
audit entry, (hostname removed)
node=kvmhost.tld type=AVC msg=audit(1318634450.285:28):
avc: denied { getattr } for pid=1842 comm=qemu-kvm
name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e syscall=138
success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0
a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295
uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
sgid=107 fsgid=107 tty=(none) ses=4294967295
comm=qemu-kvm exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
I've attached the alert email as a quote below, (hostname
removed)
Any help is greatly appreciated, I've had to deal little
with SELinux fortunately, but at the moment am not really
sure if my snapshots are actually functional or if this is
just some false positive.
Thanks - Trey
Summary
SELinux is preventing /usr/libexec/qemu-kvm getattr
access on /vmstore.
Detailed Description
SELinux denied access requested by qemu-kvm. It is not
expected that this
access is required by qemu-kvm and this access may
signal an intrusion attempt. It is also possible that
the specific version or configuration of the
application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this
access - see FAQ
Please file a bug report.
Additional Information
Source Context: system_u:system_r:svirt_t:s0:c772,c779
Target Context: system_u:object_r:fs_t:s0
Target Objects: /vmstore [ filesystem ]
Source: qemu-kvm
Source Path: /usr/libexec/qemu-kvm
Port: Unknown
Host: kvmhost.tld
Source RPM Packages: qemu-kvm-0.12.1.2-2.160.el6_1.8
Target RPM Packages:
Policy RPM: selinux-policy-3.7.19-93.el6_1.7
Selinux Enabled: True
Policy Type: targeted
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: kvmhost.tld
Platform: Linux kvmhost.tld 2.6.32-71.29.1.el6.x86_64
#1 SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count: 1
First Seen: Fri Oct 14 18:20:50 2011
Last Seen: Fri Oct 14 18:20:50 2011
Local ID: c73c7440-06ee-4611-80ac-712207ef9aa6
Line Numbers:
Raw Audit Messages :
node=kvmhost.tld type=AVC
msg=audit(1318634450.285:28): avc: denied { getattr }
for pid=1842 comm=qemu-kvm name=/ dev=dm-2 ino=2
scontext=system_u:system_r:svirt_t:s0:c772,c779
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
node=kvmhost.tld type=SYSCALL
msg=audit(1318634450.285:28): arch=c03e
syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0
a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842
auid=4294967295 uid=107 gid=107 euid=107 suid=107
fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none)
ses=4294967295 comm=qemu-kvm
exe=/usr/libexec/qemu-kvm
subj=system_u:system_r:svirt_t:s0:c772,c779 key=(null)
___ CentOS
mailing list CentOS@centos.org mailto:CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
THis is a bug in policy. It can be allowed for now.
We have 6.2 selinux-policy preview package available on
http://people.redhat.com/dwalsh/SELinux/RHEL6
I believe all that is happening
