KVM image problems
Adam Huffman
adam.huffman at gmail.com
Tue Jun 24 11:57:20 UTC 2008
Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm
now seeing errors when running a virtual machine via KVM.
The image was created in virt-install quite a while ago:
-rwxr-xr-x root root system_u:object_r:xen_image_t XP1
However, after changing to enforcing mode I saw lots of these errors:
>
> Summary:
>
> SELinux is preventing qemu-kvm (qemu_t) "write" to /var/lib/xen/images/XP1
> (xen_image_t).
>
> Detailed Description:
>
> SELinux denied access requested by qemu-kvm. It is not expected that
> this access
> is required by qemu-kvm and this access may signal an intrusion
> attempt. It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try
> to restore
> the default system file context for /var/lib/xen/images/XP1,
>
> restorecon -v '/var/lib/xen/images/XP1'
>
> If this does not work, there is currently no automatic way to allow
> this access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:qemu_t
> Target Context user_u:object_r:xen_image_t
> Target Objects /var/lib/xen/images/XP1 [ file ]
> Source qemu-kvm
> Source Path /usr/bin/qemu-kvm
> Port <Unknown>
> Host saintloup.smith.man.ac.uk
> Source RPM Packages kvm-65-7.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-64.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name saintloup.smith.man.ac.uk
> Platform Linux saintloup.smith.man.ac.uk
> 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10
> 16:05:21
> EDT 2008 x86_64 x86_64
> Alert Count 105
> First Seen Tue 24 Jun 2008 11:14:08 BST
> Last Seen Tue 24 Jun 2008 11:15:23 BST
> Local ID ae1ef75a-23f4-495d-af20-604d56fa2cde
> Line Numbers
>
> Raw Audit Messages
>
> host=saintloup.smith.man.ac.uk type=AVC
> msg=audit(1214302523.807:45871): avc: denied { write } for pid=6827
> comm="qemu-kvm" path="/var/lib/xen/images/XP1" dev=dm-6 ino=2621983
> scontext=system_u:system_r:qemu_t:s0
> tcontext=user_u:object_r:xen_image_t:s0 tclass=file
>
> host=saintloup.smith.man.ac.uk type=SYSCALL
> msg=audit(1214302523.807:45871): arch=c000003e syscall=1 success=no
> exit=-13 a0=5 a1=364ea00 a2=200 a3=1 items=0 ppid=3284 pid=6827
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm"
> exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
>
>
I received a permission denied error when I tried manually to change the
file to system_u:system_r:qemu_t and restorecon -v doesn't seem to do
anything.
Adam
More information about the fedora-selinux-list
mailing list