qemu-kvm AVCs for tmp_t with -smb

[Tom London]

Running rawhide, targeted/permissive:

Get the following when I run "qemu-kvm .... -smb ~/dir":


type=AVC msg=audit(1204759184.650:46): avc:  denied  { write } for
pid=12188 comm="qemu-kvm" name="tmp" dev=dm-0 ino=2686977
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:46): avc:  denied  { add_name } for
pid=12188 comm="qemu-kvm" name="qemu-smb.12188"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:46): avc:  denied  { create } for
pid=12188 comm="qemu-kvm" name="qemu-smb.12188"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1204759184.650:46): arch=40000003 syscall=39
success=yes exit=0 a0=82cb740 a1=1c0 a2=8177c24 a3=bfd0e6fd items=0
ppid=12187 pid=12188 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:qemu_t:s0
key=(null)
type=AVC msg=audit(1204759184.650:47): avc:  denied  { write } for
pid=12188 comm="qemu-kvm" name="qemu-smb.12188" dev=dm-0 ino=2687085
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:47): avc:  denied  { add_name } for
pid=12188 comm="qemu-kvm" name="smb.conf"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:47): avc:  denied  { create } for
pid=12188 comm="qemu-kvm" name="smb.conf"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1204759184.650:47): avc:  denied  { write } for
pid=12188 comm="qemu-kvm" name="smb.conf" dev=dm-0 ino=2687118
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1204759184.650:47): arch=40000003 syscall=5
success=yes exit=3 a0=bfd0b150 a1=8241 a2=1b6 a3=240 items=0
ppid=12187 pid=12188 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:qemu_t:s0
key=(null)
type=AVC msg=audit(1204759184.651:48): avc:  denied  { getattr } for
pid=12188 comm="qemu-kvm" path="/tmp/qemu-smb.12188/smb.conf" dev=dm-0
ino=2687118 scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1204759184.651:48): arch=40000003 syscall=197
success=yes exit=0 a0=3 a1=bfd09fa4 a2=2aaff4 a3=a3c6d60 items=0
ppid=12187 pid=12188 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:qemu_t:s0
key=(null)

or

#============= qemu_t ==============
allow qemu_t tmp_t:dir { write create add_name };
allow qemu_t tmp_t:file { write create getattr };


Is this a problem caused by me running the shell commands instead of
virt-manager?

tom
-- 
Tom London