Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm now seeing errors when running a virtual machine via KVM.
The image was created in virt-install quite a while ago:
-rwxr-xr-x root root system_u:object_r:xen_image_t XP1
However, after changing to enforcing mode I saw lots of these errors:
Summary:
SELinux is preventing qemu-kvm (qemu_t) "write" to /var/lib/xen/images/XP1 (xen_image_t).
Detailed Description:
SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/lib/xen/images/XP1,
restorecon -v '/var/lib/xen/images/XP1'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:qemu_t Target Context user_u:object_r:xen_image_t Target Objects /var/lib/xen/images/XP1 [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host saintloup.smith.man.ac.uk Source RPM Packages kvm-65-7.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-64.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name saintloup.smith.man.ac.uk Platform Linux saintloup.smith.man.ac.uk 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64 x86_64 Alert Count 105 First Seen Tue 24 Jun 2008 11:14:08 BST Last Seen Tue 24 Jun 2008 11:15:23 BST Local ID ae1ef75a-23f4-495d-af20-604d56fa2cde Line Numbers
Raw Audit Messages
host=saintloup.smith.man.ac.uk type=AVC msg=audit(1214302523.807:45871): avc: denied { write } for pid=6827 comm="qemu-kvm" path="/var/lib/xen/images/XP1" dev=dm-6 ino=2621983 scontext=system_u:system_r:qemu_t:s0 tcontext=user_u:object_r:xen_image_t:s0 tclass=file
host=saintloup.smith.man.ac.uk type=SYSCALL msg=audit(1214302523.807:45871): arch=c000003e syscall=1 success=no exit=-13 a0=5 a1=364ea00 a2=200 a3=1 items=0 ppid=3284 pid=6827 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
I received a permission denied error when I tried manually to change the file to system_u:system_r:qemu_t and restorecon -v doesn't seem to do anything.
Adam