Hi,
I use Munin plugin diskwatch to monitor a KVM-Host and am getting AVC denials at access to logical volumes labeled with type "svirt_image_t"
--------- snip ---------
Nov 15 14:33:10 servername setroubleshoot: SELinux is preventing /usr/bin/perl from getattr access on the blk_file /dev/dm-2. For complete SELinux messages. run sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
# sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d SELinux is preventing /usr/bin/perl from getattr access on the blk_file /dev/dm-2.
***** Plugin restorecon (99.5 confidence) suggests *************************
If you want to fix the label. /dev/dm-2 default label should be fixed_disk_device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/dm-2
--------- snip ---------
I setup the guests disk storage as logical volume. And all of these are labeled with svirt_image_t as you see here:
# ls -lZ /dev/dm* brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-11 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-13 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-14 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-16 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-17 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-18 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-19 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-2 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-20 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-21 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-3 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-4 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-5 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-6 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-7 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-9
Should I really change the label or will that make problems for qemu? Is it ok to grant access privileges to munin_disk_plugin_t ?
@drjohnson1: Will you then please add the following rules to SELinux policy of munin-node:
-------------------------------- module diskwatch-pol 1.0;
require { type svirt_image_t; type munin_disk_plugin_t; class blk_file getattr; }
#============= munin_disk_plugin_t ============== allow munin_disk_plugin_t svirt_image_t:blk_file getattr; --------------------------------
Thanks for your advice and kind regards,
Gabriele
On Fri, 2013-11-15 at 15:02 +0100, Gabriele Pohl wrote:
Hi,
I use Munin plugin diskwatch to monitor a KVM-Host and am getting AVC denials at access to logical volumes labeled with type "svirt_image_t"
snip<
Should I really change the label or will that make problems for qemu? Is it ok to grant access privileges to munin_disk_plugin_t ?
No, you should not change the label as setroubleshoot suggested.
@drjohnson1: Will you then please add the following rules to SELinux policy of munin-node:
module diskwatch-pol 1.0;
require { type svirt_image_t; type munin_disk_plugin_t; class blk_file getattr; }
#============= munin_disk_plugin_t ============== allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
In theory you should add a rule like the above yes, but it is probably not enough
Thanks for your advice and kind regards,
Gabriele
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Fri, 2013-11-15 at 15:34 +0100, Dominick Grift wrote:
#============= munin_disk_plugin_t ============== allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
In theory you should add a rule like the above yes, but it is probably not enough
Actually hit send too soon.
In Fedora that might indeed do the trick
Quoting Dominick Grift:
On Fri, 2013-11-15 at 15:34 +0100, Dominick Grift wrote:
#============= munin_disk_plugin_t ============== allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
In theory you should add a rule like the above yes, but it is probably not enough
Actually hit send too soon.
In Fedora that might indeed do the trick
This is a CentOS server and it was not sufficient, as it seemed. Applied the policy but AVC denials didn't stop..
Nov 15 15:48:06 servername setroubleshoot: SELinux is preventing /usr/bin/perl from getattr access on the blk_file /dev/dm-3. For complete SELinux messages. run sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
When I use audit2allow a second time (grep on a fresh rotated audit.log file) I get this: -------------------------------- # cat diskwatch-pol2.te
module diskwatch-pol2 1.0;
require { type svirt_image_t; type munin_disk_plugin_t; class blk_file getattr; }
#============= munin_disk_plugin_t ==============
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------
How can I solve the issue?
Gabriele
On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:
This is a CentOS server and it was not sufficient, as it seemed. Applied the policy but AVC denials didn't stop..
Nov 15 15:48:06 servername setroubleshoot: SELinux is preventing /usr/bin/perl from getattr access on the blk_file /dev/dm-3. For complete SELinux messages. run sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
When I use audit2allow a second time (grep on a fresh rotated audit.log file) I get this:
# cat diskwatch-pol2.te
module diskwatch-pol2 1.0;
require { type svirt_image_t; type munin_disk_plugin_t; class blk_file getattr; }
#============= munin_disk_plugin_t ==============
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
How can I solve the issue?
See if this additional module does the trick:
cat >> mytest.te <<EOF policy_module(mytest, 1.0.0) gen_require(` type munin_disk_plugin_t; ') mcs_file_read_all(munin_disk_plugin_t) EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp
Quoting Dominick Grift :
On Fri, 2013-11-15 at 16:09 +0100, Gabriele Pohl wrote:
When I use audit2allow a second time (grep on a fresh rotated audit.log file) I get this: #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
How can I solve the issue?
See if this additional module does the trick:
cat >> mytest.te <<EOF policy_module(mytest, 1.0.0) gen_require(` type munin_disk_plugin_t; ') mcs_file_read_all(munin_disk_plugin_t) EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp
thanks for you support!
I tried it:
# cat diskstats-grift-pol.te policy_module(diskstats-grift, 1.0.0) gen_require(` type munin_disk_plugin_t; ') mcs_file_read_all(munin_disk_plugin_t)
# make -f /usr/share/selinux/devel/Makefile diskstats-grift-pol.pp Compiling targeted diskstats-grift-pol module /usr/bin/checkmodule: loading policy configuration from tmp/diskstats-grift-pol.tmp diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token '' on line 3217: #line 2 \ type munin_disk_plugin_t; diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token '' on line 3217: #line 2 \ type munin_disk_plugin_t; /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/diskstats-grift-pol.mod Creating targeted diskstats-grift-pol.pp policy package rm tmp/diskstats-grift-pol.mod tmp/diskstats-grift-pol.mod.fc
I have a new module diskstats-grift-pol.pp now, but didn't apply it yet because of the warnings.
ok to apply or do you have a recipe to avoid the warnings?
Gabriele
On Fri, 2013-11-15 at 17:09 +0100, Gabriele Pohl wrote:
I tried it:
# cat diskstats-grift-pol.te policy_module(diskstats-grift, 1.0.0) gen_require(` type munin_disk_plugin_t; ') mcs_file_read_all(munin_disk_plugin_t)
<snip<
diskstats-grift-pol.te":2:WARNING 'unrecognized character' at token '' on line 3217:
The "" in "gen_require(` type munin_disk_plugin_t; ')" can be removed
I have a new module diskstats-grift-pol.pp now, but didn't apply it yet because of the warnings.
ok to apply or do you have a recipe to avoid the warnings?
You need to keep you old diskstats-pol module loaded as well because this is a two fold issue (Both a type enforcement issue, as well as a MCS issue)
..Or you could merge the two, but the point is that my module does not replace yours, instead it complements yours
hth
Quoting Dominick Grift:
You need to keep you old diskstats-pol module loaded as well because this is a two fold issue (Both a type enforcement issue, as well as a MCS issue)
I thought so already :)
..Or you could merge the two, but the point is that my module does not replace yours, instead it complements yours
I merged it:
-------------- snip ---------------- module my-munin-diskstats 1.0;
gen_require(` type munin_disk_plugin_t; ') mcs_file_read_all(munin_disk_plugin_t)
require { type svirt_image_t; type munin_disk_plugin_t; class blk_file getattr; }
#============= munin_disk_plugin_t ============== allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
-------------- snip ----------------
and replaced the old version with the new and EUREKA! it works :-)
Nov 15 17:42:54 servername setroubleshoot: Deleting alert 2b08f291-13be-4b09-878a-96cccc4c336d, it is allowed in current policy
Thanks a lot for your help!
Gabriele
On 11/15/2013 09:02 AM, Gabriele Pohl wrote:
Hi,
I use Munin plugin diskwatch to monitor a KVM-Host and am getting AVC denials at access to logical volumes labeled with type "svirt_image_t"
--------- snip ---------
Nov 15 14:33:10 servername setroubleshoot: SELinux is preventing /usr/bin/perl from getattr access on the blk_file /dev/dm-2. For complete SELinux messages. run sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
# sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d SELinux is preventing /usr/bin/perl from getattr access on the blk_file /dev/dm-2.
***** Plugin restorecon (99.5 confidence) suggests
If you want to fix the label. /dev/dm-2 default label should be fixed_disk_device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/dm-2
--------- snip ---------
I setup the guests disk storage as logical volume. And all of these are labeled with svirt_image_t as you see here:
# ls -lZ /dev/dm* brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-11 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-13 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-14 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-16 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-17 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-18 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-19 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-2 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-20 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-21 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-3 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-4 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-5 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-6 brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-7 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8 brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-9
Should I really change the label or will that make problems for qemu? Is it ok to grant access privileges to munin_disk_plugin_t ?
@drjohnson1: Will you then please add the following rules to SELinux policy of munin-node:
-------------------------------- module diskwatch-pol 1.0;
require { type svirt_image_t; type munin_disk_plugin_t; class blk_file getattr; }
#============= munin_disk_plugin_t ============== allow munin_disk_plugin_t svirt_image_t:blk_file getattr; --------------------------------
Thanks for your advice and kind regards,
Gabriele
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
The allow rule is the proper thing to add.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Gabriele Pohl