libvirt and SELlinux 'access denied' in a VM
Juerg Haefliger
juergh at gmail.com
Tue Mar 25 07:44:00 UTC 2014
On Mon, Mar 24, 2014 at 4:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/24/2014 08:44 AM, Juerg Haefliger wrote:
> >
> >
> >
> > On Mon, Mar 24, 2014 at 1:14 PM, Daniel J Walsh <dwalsh at redhat.com
> > <mailto:dwalsh at redhat.com>> wrote:
> >>
> > On 03/24/2014 06:28 AM, Juerg Haefliger wrote:
> >
> >
> >
> >> On Mon, Mar 24, 2014 at 11:23 AM, Juerg Haefliger <juergh at gmail.com
> >> <mailto:juergh at gmail.com> <mailto:juergh at gmail.com
> >> <mailto:juergh at gmail.com>>> wrote:
> >
> >
> >
> >
> >>> On Sat, Mar 22, 2014 at 11:46 AM, Daniel J Walsh <dwalsh at redhat.com
> >> <mailto:dwalsh at redhat.com> <mailto:dwalsh at redhat.com
> >> <mailto:dwalsh at redhat.com>>> wrote:
> >>>>
> >> On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
> >>> Hi,
> >
> >>> I started a VM using the official F20 cloud image, installed libvirt
> >>> and its dependencies and tried to create a guest but SELinux won't let
> >>> me:
> >
> >>> [root at fedora-20 ~]# virsh create mini.xml error: Failed to create
> >>> domain from mini.xml error: Input/output error
> >
> >>> [root at fedora-20 ~]# journalctl | tail Mar 21 14:23:06 fedora-20
> >>> systemd[1]: SELinux policy denies access. Mar 21 14:23:06 fedora-20
> >>> systemd-machined[7210]: Failed to start machine scope: Access denied
> >>> Mar 21 14:23:06 fedora-20 libvirtd[6856]: Input/output error
> >
> >>> [root at fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log 2014-03-21
> >>> 14:23:06.740+0000: starting up LC_ALL=C
> >>> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
> >>> QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name mini -S -machine
> >>> pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp
> >>> 1,sockets=1,cores=1,threads=1 -uuid
> >>> 11111111-2890-2015-1f87-cbfa725b1dd3 -nographic -no-user-config
> >>> -nodefaults -chardev
> >>>
socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
> >
> >>>
> >
> > -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
> > -no-shutdown
> >>> -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device
> >>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 2014-03-21
> >>> 14:23:06.744+0000: shutting down
> >
> >
> >>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:281): pid=6856 uid=0
> >>> auid=4294967295 ses=4294967295
> >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
> >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> >>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986
> >>> img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986 model=selinux
> >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> >>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:282): pid=6856 uid=0
> >>> auid=4294967295 ses=4294967295
> >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
> >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107
> >>> img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=?
> >>> terminal=? res=success' type=USER_AVC msg=audit(1395412399.788:283):
> >>> pid=1 uid=0 auid=4294967295 ses=4294967295
> >>> subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for
> >>> auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
> >>> tcontext=system_u:system_r:init_t:s0 tclass=service
> >>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> >>> type=VIRT_RESOURCE msg=audit(1395412400.015:284): pid=6856 uid=0
> >>> auid=4294967295 ses=4294967295
> >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem
> >>> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> >>> old-mem=0 new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=?
> >>> terminal=? res=success' type=VIRT_RESOURCE
> >>> msg=audit(1395412400.015:285): pid=6856 uid=0 auid=4294967295
> >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
> >>> msg='virt=qemu resrc=vcpu reason=start vm="mini"
> >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0 new-vcpu=1
> >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> >>> type=VIRT_CONTROL msg=audit(1395412400.015:286): pid=6856 uid=0
> >>> auid=4294967295 ses=4294967295
> >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start
> >>> reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> >>> vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
> >>> res=failed'
> >
> >>> I'm not overly familiar with SELinux. Is this a configuration issue?
> >>> Am I missing some policy packages or could this be an issue with the
> >>> cloud image?
> >
> >>> Works fine when I disable SELinux.
> >
> >>> Google found this, but it's old and apparently resolved:
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=860235
> >
> >>> Thanks ...Juerg
> >
> >
> >
> >>> _______________________________________________ cloud mailing list
> >>> cloud at lists.fedoraproject.org <mailto:cloud at lists.fedoraproject.org>
> >> <mailto:cloud at lists.fedoraproject.org
> >> <mailto:cloud at lists.fedoraproject.org>>
> >>> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> >>> Conduct: http://fedoraproject.org/code-of-conduct
> >
> >
> >> There is no SELinux data that you posted. I don't think your machine
is
> >> mislabeled. Doing the /.autorelabel dance is a waste of time.
> >
> >> ausearch -m avc,user_avc -ts recent
> >
> >> After you have the problem, to see if SELinux posted any error
messages.
> >
> >> If there are no messages then try to turn off dontaudit rules.
> >
> >> semodule -DB Run your test ausearch -m avc,user_avc -ts recent
> >
> >>>>
> >>>> This is all I get:
> >>>>
> >>>> time->Mon Mar 24 10:21:18 2014 type=USER_AVC
> >>>> msg=audit(1395656478.686:22577): pid=1 uid=0 auid=4294967295
> >>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
> >>> start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
> >>> tcontext=system_u:system_r:init_t:s0 tclass=service
> >>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> >
> >
> >>> And all of 'ausearch -ts':
> >
> >>> time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID
> >>> msg=audit(1395656781.041:22605): pid=529 uid=0 auid=4294967295
> >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
> >>> msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> >>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c135,c495
> >>> img-ctx=system_u:object_r:svirt_image_t:s0:c135,c495 model=selinux
> >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID
> >>> msg=audit(1395656781.041:22606): pid=529 uid=0 auid=4294967295
> >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
> >>> msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> >>> vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd"
> >>> hostname=? addr=? terminal=? res=success' ---- time->Mon Mar 24
> >>> 10:26:21 2014 type=USER_AVC msg=audit(1395656781.044:22607): pid=1
> >>> uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> >>> msg='avc: denied { start } for auid=-1 uid=-1 gid=-1
> >>> scontext=system_u:system_r:init_t:s0
> >>> tcontext=system_u:system_r:init_t:s0 tclass=service
> >>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE
> >>> msg=audit(1395656781.285:22608): pid=529 uid=0 auid=4294967295
> >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
> >>> msg='virt=qemu resrc=mem reason=start vm="mini"
> >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0 new-mem=1048576
> >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE
> >>> msg=audit(1395656781.285:22609): pid=529 uid=0 auid=4294967295
> >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
> >>> msg='virt=qemu resrc=vcpu reason=start vm="mini"
> >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0 new-vcpu=1
> >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_CONTROL
> >>> msg=audit(1395656781.286:22610): pid=529 uid=0 auid=4294967295
> >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
> >>> msg='virt=qemu op=start reason=booted vm="mini"
> >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1
> >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
> >
> >
> >>>>
> >>>>
> >>>>
> >> And look for messages about virt.
> >
> >> This will turn dontaudit rules back on. semodule -B
> >
> >
> >>>> _______________________________________________ cloud mailing list
> >>>> cloud at lists.fedoraproject.org <mailto:cloud at lists.fedoraproject.org>
> >> <mailto:cloud at lists.fedoraproject.org
> >> <mailto:cloud at lists.fedoraproject.org>>
> >>>> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code
> >>>> of Conduct: http://fedoraproject.org/code-of-conduct
> >
> >
> >
> >> _______________________________________________ cloud mailing list
> >> cloud at lists.fedoraproject.org <mailto:cloud at lists.fedoraproject.org>
> >> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> >> Conduct: http://fedoraproject.org/code-of-conduct
> >
> >
> > That AVC does not seem to be related. What AVC's did you see when you
> > disabled the dontaudit rules.
> >
> >
> >> There's only one (the last one) with enabled and disabled dontaudit
> >> rules:
> >
> >> [root at fedora-20 ~]# semodule -DB ; date ; virsh create mini.xml ;
> >> ausearch -m avc,user_avc -ts recent | tail -n 9 Mon Mar 24 12:44:17 UTC
> >> 2014 error: Failed to create domain from mini.xml error: Input/output
> >> error
> >
> >> ---- time->Mon Mar 24 12:42:29 2014 type=USER_AVC
> >> msg=audit(1395664949.793:23448): pid=1 uid=0 auid=4294967295
> >> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
> >> start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
> >> tcontext=system_u:system_r:init_t:s0 tclass=service
> >> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> >> ---- time->Mon Mar 24 12:44:17 2014 type=USER_AVC
> >> msg=audit(1395665057.999:23463): pid=1 uid=0 auid=4294967295
> >> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
> >> policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0
> >> hostname=? addr=? terminal=?' ---- time->Mon Mar 24 12:44:18 2014
> >> type=USER_AVC msg=audit(1395665058.000:23464): pid=1 uid=0
> >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> >> msg='avc: denied { start } for auid=-1 uid=-1 gid=-1
> >> scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0
> >> tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
> >> terminal=?'
> >
> >
> >
> >
> >> _______________________________________________ cloud mailing list
> >> cloud at lists.fedoraproject.org <mailto:cloud at lists.fedoraproject.org>
> >> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> >> Conduct: http://fedoraproject.org/code-of-conduct
> >
> >
> >
> > _______________________________________________ cloud mailing list
> > cloud at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> > Conduct: http://fedoraproject.org/code-of-conduct
> >
> If you successfully disabled dontaudit rules, you shouldbe seeing a lot
more
> messages.
How do I check that? I issued 'semodule -DB', it took a while to run but
didn't return any error.
Just tried the whole sequence again but all I get is the one USER_AVC
message.
What am I missing?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlMwTccACgkQrlYvE4MpobMx6gCgzT+56w2jhMoQkJ7S0RG8GQ9a
> 6nYAn3Oh87AIsAYnivoegiUpYxJJL8yc
> =1qzi
> -----END PGP SIGNATURE-----
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/cloud/attachments/20140325/f1027228/attachment-0001.html>
More information about the cloud
mailing list