Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm now seeing errors when running a virtual machine via KVM.
The image was created in virt-install quite a while ago:
-rwxr-xr-x root root system_u:object_r:xen_image_t XP1
However, after changing to enforcing mode I saw lots of these errors:
Summary:
SELinux is preventing qemu-kvm (qemu_t) "write" to /var/lib/xen/images/XP1 (xen_image_t).
Detailed Description:
SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/lib/xen/images/XP1,
restorecon -v '/var/lib/xen/images/XP1'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:qemu_t Target Context user_u:object_r:xen_image_t Target Objects /var/lib/xen/images/XP1 [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host saintloup.smith.man.ac.uk Source RPM Packages kvm-65-7.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-64.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name saintloup.smith.man.ac.uk Platform Linux saintloup.smith.man.ac.uk 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64 x86_64 Alert Count 105 First Seen Tue 24 Jun 2008 11:14:08 BST Last Seen Tue 24 Jun 2008 11:15:23 BST Local ID ae1ef75a-23f4-495d-af20-604d56fa2cde Line Numbers
Raw Audit Messages
host=saintloup.smith.man.ac.uk type=AVC msg=audit(1214302523.807:45871): avc: denied { write } for pid=6827 comm="qemu-kvm" path="/var/lib/xen/images/XP1" dev=dm-6 ino=2621983 scontext=system_u:system_r:qemu_t:s0 tcontext=user_u:object_r:xen_image_t:s0 tclass=file
host=saintloup.smith.man.ac.uk type=SYSCALL msg=audit(1214302523.807:45871): arch=c000003e syscall=1 success=no exit=-13 a0=5 a1=364ea00 a2=200 a3=1 items=0 ppid=3284 pid=6827 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
I received a permission denied error when I tried manually to change the file to system_u:system_r:qemu_t and restorecon -v doesn't seem to do anything.
Adam
On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote:
Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm now seeing errors when running a virtual machine via KVM.
The image was created in virt-install quite a while ago:
-rwxr-xr-x root root system_u:object_r:xen_image_t XP1
However, after changing to enforcing mode I saw lots of these errors:
Xen is not KVM.
Your image has the xen_image_t label because its in /var/lib/xen/images
By default KVM images live in /var/lib/libvirt/images/ and have virt_image_t label. Xen probably ought to be allowed to read virt_image_t and then we should change /var/lib/xen/images/ to also be virt_image_t and get rid of xen_image_t. It is not nice to have different labels and locations for different virt technology. So we should make sure everything is using the generic virt_image_t
In the meantime you can either move your images or relabel them to be virT_image_t for use with KVM
Regards, Daniel.
Daniel P. Berrange wrote:
On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote:
Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm now seeing errors when running a virtual machine via KVM.
The image was created in virt-install quite a while ago:
-rwxr-xr-x root root system_u:object_r:xen_image_t XP1
However, after changing to enforcing mode I saw lots of these errors:
Xen is not KVM.
Your image has the xen_image_t label because its in /var/lib/xen/images
Yes, I always found that location a bit odd, but that's where I was told to put them the last time I had similar trouble (i.e. if I didn't put them in /var/lib/xen/images, they wouldn't pick up the right context).
By default KVM images live in /var/lib/libvirt/images/ and have virt_image_t label. Xen probably ought to be allowed to read virt_image_t and then we should change /var/lib/xen/images/ to also be virt_image_t and get rid of xen_image_t. It is not nice to have different labels and locations for different virt technology. So we should make sure everything is using the generic virt_image_t
That would be simpler, yes.
In the meantime you can either move your images or relabel them to be virT_image_t for use with KVM
Yes, I've relabeled and that seems to have worked for now.
On a related point, will I need to apply virt_image_t to .iso files I'm mounting in these VMs?
Thanks, Adam
Adam Huffman wrote:
Daniel P. Berrange wrote:
On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote:
Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm now seeing errors when running a virtual machine via KVM.
The image was created in virt-install quite a while ago:
-rwxr-xr-x root root system_u:object_r:xen_image_t XP1
However, after changing to enforcing mode I saw lots of these errors:
Xen is not KVM.
Your image has the xen_image_t label because its in /var/lib/xen/images
Yes, I always found that location a bit odd, but that's where I was told to put them the last time I had similar trouble (i.e. if I didn't put them in /var/lib/xen/images, they wouldn't pick up the right context).
By default KVM images live in /var/lib/libvirt/images/ and have virt_image_t label. Xen probably ought to be allowed to read virt_image_t and then we should change /var/lib/xen/images/ to also be virt_image_t and get rid of xen_image_t. It is not nice to have different labels and locations for different virt technology. So we should make sure everything is using the generic virt_image_t
That would be simpler, yes.
In the meantime you can either move your images or relabel them to be virT_image_t for use with KVM
Yes, I've relabeled and that seems to have worked for now.
On a related point, will I need to apply virt_image_t to .iso files I'm mounting in these VMs?
Thanks, Adam
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No just image files.
selinux@lists.fedoraproject.org