KVM image problems

Adam Huffman adam.huffman at gmail.com
Tue Jun 24 11:57:20 UTC 2008 

Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm 
now seeing errors when running a virtual machine via KVM.

The image was created in virt-install quite a while ago:

-rwxr-xr-x  root root system_u:object_r:xen_image_t    XP1

However, after changing to enforcing mode I saw lots of these errors:

>
> Summary:
>
> SELinux is preventing qemu-kvm (qemu_t) "write" to /var/lib/xen/images/XP1
> (xen_image_t).
>
> Detailed Description:
>
> SELinux denied access requested by qemu-kvm. It is not expected that 
> this access
> is required by qemu-kvm and this access may signal an intrusion 
> attempt. It is
> also possible that the specific version or configuration of the 
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try 
> to restore
> the default system file context for /var/lib/xen/images/XP1,
>
> restorecon -v '/var/lib/xen/images/XP1'
>
> If this does not work, there is currently no automatic way to allow 
> this access.
> Instead, you can generate a local policy module to allow this access - 
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
> disable
> SELinux protection altogether. Disabling SELinux protection is not 
> recommended.
> Please file a bug report 
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:qemu_t
> Target Context                user_u:object_r:xen_image_t
> Target Objects                /var/lib/xen/images/XP1 [ file ]
> Source                        qemu-kvm
> Source Path                   /usr/bin/qemu-kvm
> Port                          <Unknown>
> Host                          saintloup.smith.man.ac.uk
> Source RPM Packages           kvm-65-7.fc9
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.3.1-64.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     saintloup.smith.man.ac.uk
> Platform                      Linux saintloup.smith.man.ac.uk
>                               2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 
> 16:05:21
>                               EDT 2008 x86_64 x86_64
> Alert Count                   105
> First Seen                    Tue 24 Jun 2008 11:14:08 BST
> Last Seen                     Tue 24 Jun 2008 11:15:23 BST
> Local ID                      ae1ef75a-23f4-495d-af20-604d56fa2cde
> Line Numbers                  
>
> Raw Audit Messages            
>
> host=saintloup.smith.man.ac.uk type=AVC 
> msg=audit(1214302523.807:45871): avc:  denied  { write } for  pid=6827 
> comm="qemu-kvm" path="/var/lib/xen/images/XP1" dev=dm-6 ino=2621983 
> scontext=system_u:system_r:qemu_t:s0 
> tcontext=user_u:object_r:xen_image_t:s0 tclass=file
>
> host=saintloup.smith.man.ac.uk type=SYSCALL 
> msg=audit(1214302523.807:45871): arch=c000003e syscall=1 success=no 
> exit=-13 a0=5 a1=364ea00 a2=200 a3=1 items=0 ppid=3284 pid=6827 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" 
> exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
>
>

I received a permission denied error when I tried manually to change the 
file to system_u:system_r:qemu_t and restorecon -v doesn't seem to do 
anything.

Adam

More information about the fedora-selinux-list mailing list