8:02 a.m.
Hi,
I use Munin plugin diskwatch to monitor a KVM-Host
and am getting AVC denials at access to logical volumes
labeled with type "svirt_image_t"
--------- snip ---------
Nov 15 14:33:10 servername setroubleshoot: SELinux is preventing
/usr/bin/perl from getattr access on the blk_file /dev/dm-2. For
complete SELinux messages. run sealert -l
2b08f291-13be-4b09-878a-96cccc4c336d
# sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
SELinux is preventing /usr/bin/perl from getattr access on the
blk_file /dev/dm-2.
***** Plugin restorecon (99.5 confidence) suggests *************************
If you want to fix the label.
/dev/dm-2 default label should be fixed_disk_device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/dm-2
--------- snip ---------
I setup the guests disk storage as logical volume.
And all of these are labeled with svirt_image_t as you see here:
# ls -lZ /dev/dm*
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-11
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-13
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-14
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-16
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-17
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-18
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-19
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-2
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-20
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-21
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-3
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-4
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-5
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-6
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-7
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-9
Should I really change the label or will that make problems for qemu?
Is it ok to grant access privileges to munin_disk_plugin_t ?
@drjohnson1: Will you then please add the following rules to SELinux
policy of munin-node:
--------------------------------
module diskwatch-pol 1.0;
require {
type svirt_image_t;
type munin_disk_plugin_t;
class blk_file getattr;
}
#============= munin_disk_plugin_t ==============
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------
Thanks for your advice and kind regards,
Gabriele
8:34 a.m.
On Fri, 2013-11-15 at 15:02 +0100, Gabriele Pohl wrote:
Hi,
I use Munin plugin diskwatch to monitor a KVM-Host
and am getting AVC denials at access to logical volumes
labeled with type "svirt_image_t"
snip<
Should I really change the label or will that make problems for
qemu?
Is it ok to grant access privileges to munin_disk_plugin_t ?
No, you should not change the label as setroubleshoot suggested.
@drjohnson1: Will you then please add the following rules to SELinux
policy of munin-node:
--------------------------------
module diskwatch-pol 1.0;
require {
type svirt_image_t;
type munin_disk_plugin_t;
class blk_file getattr;
}
#============= munin_disk_plugin_t ==============
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------
In theory you should add a rule like the above yes, but it is probably
not enough
Thanks for your advice and kind regards,
Gabriele
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
8:35 a.m.
On Fri, 2013-11-15 at 15:34 +0100, Dominick Grift wrote:
>
> #============= munin_disk_plugin_t ==============
> allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
> --------------------------------
>
In theory you should add a rule like the above yes, but it is probably
not enough
Actually hit send too soon.
In Fedora that might indeed do the trick
9:09 a.m.
Quoting Dominick Grift:
On Fri, 2013-11-15 at 15:34 +0100, Dominick Grift wrote:
> >
> > #============= munin_disk_plugin_t ==============
> > allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
> > --------------------------------
> >
>
> In theory you should add a rule like the above yes, but it is probably
> not enough
>
>
Actually hit send too soon.
In Fedora that might indeed do the trick
This is a CentOS server and it was not sufficient, as it seemed.
Applied the policy but AVC denials didn't stop..
Nov 15 15:48:06 servername setroubleshoot: SELinux is preventing
/usr/bin/perl from getattr access on the blk_file /dev/dm-3. For
complete SELinux messages. run sealert -l
2b08f291-13be-4b09-878a-96cccc4c336d
When I use audit2allow a second time (grep on a fresh rotated audit.log file)
I get this:
--------------------------------
# cat diskwatch-pol2.te
module diskwatch-pol2 1.0;
require {
type svirt_image_t;
type munin_disk_plugin_t;
class blk_file getattr;
}
#============= munin_disk_plugin_t ==============
#!!!! This avc is a constraint violation. You will need to add an
attribute to either the source or target type to make it work.
#Contraint rule:
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------
How can I solve the issue?
Gabriele
9:16 a.m.
On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:
This is a CentOS server and it was not sufficient, as it seemed.
Applied the policy but AVC denials didn't stop..
Nov 15 15:48:06 servername setroubleshoot: SELinux is preventing
/usr/bin/perl from getattr access on the blk_file /dev/dm-3. For
complete SELinux messages. run sealert -l
2b08f291-13be-4b09-878a-96cccc4c336d
When I use audit2allow a second time (grep on a fresh rotated audit.log file)
I get this:
--------------------------------
# cat diskwatch-pol2.te
module diskwatch-pol2 1.0;
require {
type svirt_image_t;
type munin_disk_plugin_t;
class blk_file getattr;
}
#============= munin_disk_plugin_t ==============
#!!!! This avc is a constraint violation. You will need to add an
attribute to either the source or target type to make it work.
#Contraint rule:
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------
How can I solve the issue?
See if this additional module does the trick:
cat >> mytest.te <<EOF
policy_module(mytest, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp
10:09 a.m.
Quoting Dominick Grift :
On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:
> When I use audit2allow a second time (grep on a fresh rotated
> audit.log file)
> I get this:
> #!!!! This avc is a constraint violation. You will need to add an
> attribute to either the source or target type to make it work.
> #Contraint rule:
> allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
>
> --------------------------------
>
> How can I solve the issue?
See if this additional module does the trick:
cat >> mytest.te <<EOF
policy_module(mytest, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp
sudo semodule -i mytest.pp
thanks for you support!
I tried it:
# cat diskstats-grift-pol.te
policy_module(diskstats-grift, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
# make -f /usr/share/selinux/devel/Makefile diskstats-grift-pol.pp
Compiling targeted diskstats-grift-pol module
/usr/bin/checkmodule: loading policy configuration from
tmp/diskstats-grift-pol.tmp
diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token
'\' on line 3217:
#line 2
\ type munin_disk_plugin_t;
diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token
'\' on line 3217:
#line 2
\ type munin_disk_plugin_t;
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/diskstats-grift-pol.mod
Creating targeted diskstats-grift-pol.pp policy package
rm tmp/diskstats-grift-pol.mod tmp/diskstats-grift-pol.mod.fc
I have a new module diskstats-grift-pol.pp now,
but didn't apply it yet because of the warnings.
ok to apply or do you have a recipe to avoid the warnings?
Gabriele
10:17 a.m.
On Fri, 2013-11-15 at 17:09 +0100, Gabriele Pohl wrote:
I tried it:
# cat diskstats-grift-pol.te
policy_module(diskstats-grift, 1.0.0)
gen_require(\` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
<snip<
diskstats-grift-pol.te":2:WARNING 'unrecognized
character' at token
'\' on line 3217:
The "\" in "gen_require(\` type munin_disk_plugin_t; ')" can be
removed
I have a new module diskstats-grift-pol.pp now,
but didn't apply it yet because of the warnings.
ok to apply or do you have a recipe to avoid the warnings?
You need to keep you old diskstats-pol module loaded as well because
this is a two fold issue (Both a type enforcement issue, as well as a
MCS issue)
..Or you could merge the two, but the point is that my module does not
replace yours, instead it complements yours
hth
10:56 a.m.
Quoting Dominick Grift:
You need to keep you old diskstats-pol module loaded as well because
this is a two fold issue (Both a type enforcement issue, as well as a
MCS issue)
I thought so already :)
..Or you could merge the two, but the point is that my module does
not
replace yours, instead it complements yours
I merged it:
-------------- snip ----------------
module my-munin-diskstats 1.0;
gen_require(` type munin_disk_plugin_t; ')
mcs_file_read_all(munin_disk_plugin_t)
require {
type svirt_image_t;
type munin_disk_plugin_t;
class blk_file getattr;
}
#============= munin_disk_plugin_t ==============
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
-------------- snip ----------------
and replaced the old version with the new and
EUREKA! it works :-)
Nov 15 17:42:54 servername setroubleshoot: Deleting alert
2b08f291-13be-4b09-878a-96cccc4c336d, it is allowed in current policy
Thanks a lot for your help!
Gabriele
9:36 a.m.
On 11/15/2013 09:02 AM, Gabriele Pohl wrote:
Hi,
I use Munin plugin diskwatch to monitor a KVM-Host and am getting AVC
denials at access to logical volumes labeled with type "svirt_image_t"
--------- snip ---------
Nov 15 14:33:10 servername setroubleshoot: SELinux is preventing
/usr/bin/perl from getattr access on the blk_file /dev/dm-2. For complete
SELinux messages. run sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
# sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d SELinux is preventing
/usr/bin/perl from getattr access on the blk_file /dev/dm-2.
***** Plugin restorecon (99.5 confidence) suggests
*************************
If you want to fix the label. /dev/dm-2 default label should be
fixed_disk_device_t. Then you can run restorecon. Do # /sbin/restorecon -v
/dev/dm-2
--------- snip ---------
I setup the guests disk storage as logical volume. And all of these are
labeled with svirt_image_t as you see here:
# ls -lZ /dev/dm* brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-11 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-13 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-14 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-16 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-17 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-18 brw-rw----. root disk
system_u:object_r:fixed_disk_device_t:s0 /dev/dm-19 brw-rw----. qemu qemu
system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-2 brw-rw----. root
disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-20 brw-rw----. root
disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-21 brw-rw----. qemu
qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-3 brw-rw----.
qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-4
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985
/dev/dm-5 brw-rw----. qemu qemu
system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-6 brw-rw----. qemu
qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-7 brw-rw----.
root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8 brw-rw----.
root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-9
Should I really change the label or will that make problems for qemu? Is it
ok to grant access privileges to munin_disk_plugin_t ?
@drjohnson1: Will you then please add the following rules to SELinux policy
of munin-node:
-------------------------------- module diskwatch-pol 1.0;
require { type svirt_image_t; type munin_disk_plugin_t; class blk_file
getattr; }
#============= munin_disk_plugin_t ============== allow munin_disk_plugin_t
svirt_image_t:blk_file getattr; --------------------------------
Thanks for your advice and kind regards,
Gabriele
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
The allow rule is the proper thing to add.
3812
days inactive
3812
days old
selinux@lists.fedoraproject.org
8 comments
3 participants
participants (3)
-
Daniel J Walsh -
Dominick Grift -
Gabriele Pohl