[libvirt] [PATCH] Don't use O_TRUNC when opening QEMU logfiles

Daniel P. Berrange berrange at redhat.com
Fri Sep 21 12:00:26 UTC 2012 

On Fri, Sep 21, 2012 at 12:54:25PM +0100, Richard W.M. Jones wrote:
> 
> On Fri, Sep 21, 2012 at 10:39:19AM +0100, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange" <berrange at redhat.com>
> > 
> > SELinux wants all log files opened with O_APPEND. When
> > running non-root though, libvirtd likes to use O_TRUNC
> > to avoid log files growing in size indefinitely. Instead
> > of using O_TRUNC though, we can use O_APPEND and then
> > call ftruncate() which keeps SELinux happier.
> 
> As far as I can see, although this patch doesn't break anything, it
> doesn't fix the SELinux problem either.  SELinux still prevents qemu
> from writing to the log.  The AVCs look the same as before:
> 
> type=AVC msg=audit(1348227948.158:14174): avc:  denied  { append } for  pid=13139 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-wd6efsxohmy5jd2s.log" dev="dm-5" ino=1870215 scontext=unconfined_u:unconfined_r:svirt_t:s0:c69,c512 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
> type=AVC msg=audit(1348227948.158:14174): avc:  denied  { append } for  pid=13139 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-wd6efsxohmy5jd2s.log" dev="dm-5" ino=1870215 scontext=unconfined_u:unconfined_r:svirt_t:s0:c69,c512 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file

The target context here is unconfined_u:object_r:cache_home_t:s0 which
is wrong. The context ought to be virt_home_t instead of cache_home_t.
Try changing the libvirt directories to have virt_home_t as their type.
Then my patch ought to do something useful.

We need to check if SELinux policy knows about $HOME/.cache/libvirt
and $HOME/.config/libvirt, or whether it still only considers the
old location of $HOME/.libvirt

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list