Monitoring disk storage labeled with svirt_image_t

Fri Nov 15 14:02:16 UTC 2013

Hi,

I use Munin plugin diskwatch to monitor a KVM-Host
and am getting AVC denials at access to logical volumes
labeled with type "svirt_image_t"

--------- snip ---------

Nov 15 14:33:10 servername setroubleshoot: SELinux is preventing  
/usr/bin/perl from getattr access on the blk_file /dev/dm-2. For  
complete SELinux messages. run sealert -l  
2b08f291-13be-4b09-878a-96cccc4c336d

# sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
SELinux is preventing /usr/bin/perl from getattr access on the  
blk_file /dev/dm-2.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label.
/dev/dm-2 default label should be fixed_disk_device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/dm-2

--------- snip ---------

I setup the guests disk storage as logical volume.
And all of these are labeled with svirt_image_t as you see here:

# ls -lZ /dev/dm*
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-11
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-13
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-14
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-16
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-17
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-18
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-19
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-2
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-20
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-21
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-3
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-4
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-5
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-6
brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-7
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-9

Should I really change the label or will that make problems for qemu?
Is it ok to grant access privileges to munin_disk_plugin_t ?

@drjohnson1: Will you then please add the following rules to SELinux  
policy of munin-node:

--------------------------------
module diskwatch-pol 1.0;

require {
	type svirt_image_t;
	type munin_disk_plugin_t;
	class blk_file getattr;
}

#============= munin_disk_plugin_t ==============
allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
--------------------------------

Thanks for your advice and kind regards,

Gabriele