Re: libvirt and SELlinux 'access denied' in a VM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/24/2014 06:28 AM, Juerg Haefliger wrote:
> 
> 
> 
> On Mon, Mar 24, 2014 at 11:23 AM, Juerg Haefliger <juergh@xxxxxxxxx 
> <mailto:juergh@xxxxxxxxx>> wrote:
>> 
>> 
>> 
>> 
>> On Sat, Mar 22, 2014 at 11:46 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx
> <mailto:dwalsh@xxxxxxxxxx>> wrote:
>>> 
> On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
>> Hi,
> 
>> I started a VM using the official F20 cloud image, installed libvirt and 
>> its dependencies and tried to create a guest but SELinux won't let me:
> 
>> [root@fedora-20 ~]# virsh create mini.xml error: Failed to create domain 
>> from mini.xml error: Input/output error
> 
>> [root@fedora-20 ~]# journalctl | tail Mar 21 14:23:06 fedora-20
>> systemd[1]: SELinux policy denies access. Mar 21 14:23:06 fedora-20 
>> systemd-machined[7210]: Failed to start machine scope: Access denied Mar
>> 21 14:23:06 fedora-20 libvirtd[6856]: Input/output error
> 
>> [root@fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log 2014-03-21 
>> 14:23:06.740+0000: starting up LC_ALL=C 
>> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
>> QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name mini -S -machine 
>> pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp 
>> 1,sockets=1,cores=1,threads=1 -uuid 11111111-2890-2015-1f87-cbfa725b1dd3 
>> -nographic -no-user-config -nodefaults -chardev 
>> socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
>>
>> 
- -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown
>> -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device 
>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 2014-03-21 
>> 14:23:06.744+0000: shutting down
> 
> 
>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:281): pid=6856 uid=0 
>> auid=4294967295 ses=4294967295 
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini" 
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 
>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986 
>> img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986 model=selinux 
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' 
>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:282): pid=6856 uid=0 
>> auid=4294967295 ses=4294967295 
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini" 
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107 img-ctx=107:107 
>> model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? 
>> res=success' type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0 
>> auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0
>> msg='avc: denied  { start } for auid=-1 uid=-1 gid=-1 
>> scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=service
>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
>> type=VIRT_RESOURCE msg=audit(1395412400.015:284): pid=6856 uid=0
>> auid=4294967295 ses=4294967295 
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem 
>> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> old-mem=0 new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=?
>> terminal=? res=success' type=VIRT_RESOURCE msg=audit(1395412400.015:285):
>> pid=6856 uid=0 auid=4294967295 ses=4294967295 
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=vcpu 
>> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> old-vcpu=0 new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=?
>> terminal=? res=success' type=VIRT_CONTROL msg=audit(1395412400.015:286):
>> pid=6856 uid=0 auid=4294967295 ses=4294967295 
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start 
>> reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
>> res=failed'
> 
>> I'm not overly familiar with SELinux. Is this a configuration issue? Am
>> I missing some policy packages or could this be an issue with the cloud 
>> image?
> 
>> Works fine when I disable SELinux.
> 
>> Google found this, but it's old and apparently resolved: 
>> https://bugzilla.redhat.com/show_bug.cgi?id=860235
> 
>> Thanks ...Juerg
> 
> 
> 
>> _______________________________________________ cloud mailing list 
>> cloud@xxxxxxxxxxxxxxxxxxxxxxx <mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx> 
>> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of 
>> Conduct: http://fedoraproject.org/code-of-conduct
> 
> 
> There is no SELinux data that you posted.  I don't think your machine is 
> mislabeled.  Doing the /.autorelabel dance is a waste of time.
> 
> ausearch -m avc,user_avc -ts recent
> 
> After you have the problem, to see if SELinux posted any error messages.
> 
> If there are no messages then try to turn off dontaudit rules.
> 
> semodule -DB Run your test ausearch -m avc,user_avc -ts recent
> 
>>> 
>>> This is all I get:
>>> 
>>> time->Mon Mar 24 10:21:18 2014 type=USER_AVC
>>> msg=audit(1395656478.686:22577): pid=1 uid=0 auid=4294967295
>> ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0 
>> tcontext=system_u:system_r:init_t:s0 tclass=service 
>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> 
> 
>> And all of 'ausearch -ts':
> 
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID
>> msg=audit(1395656781.041:22605): pid=529 uid=0 auid=4294967295
>> ses=4294967295  subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 
>> msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 
>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c135,c495 
>> img-ctx=system_u:object_r:svirt_image_t:s0:c135,c495 model=selinux 
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' ---- 
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID
>> msg=audit(1395656781.041:22606): pid=529 uid=0 auid=4294967295
>> ses=4294967295  subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 
>> msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 
>> vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd"
>> hostname=? addr=? terminal=? res=success' ---- time->Mon Mar 24 10:26:21
>> 2014 type=USER_AVC msg=audit(1395656781.044:22607): pid=1 uid=0
>> auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0
>> msg='avc:  denied  { start } for auid=-1 uid=-1 gid=-1
>> scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0
>> tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
>> terminal=?' ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE
>> msg=audit(1395656781.285:22608): pid=529 uid=0 auid=4294967295
>> ses=4294967295  subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 
>> msg='virt=qemu resrc=mem reason=start vm="mini" 
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0 new-mem=1048576 
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' ---- 
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE
>> msg=audit(1395656781.285:22609): pid=529 uid=0 auid=4294967295
>> ses=4294967295  subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 
>> msg='virt=qemu resrc=vcpu reason=start vm="mini" 
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0 new-vcpu=1 
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' ---- 
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_CONTROL
>> msg=audit(1395656781.286:22610): pid=529 uid=0 auid=4294967295 
>> ses=4294967295  subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>> msg='virt=qemu op=start reason=booted vm="mini"
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
> 
> 
>>> 
>>> 
>>> 
> And look for messages about virt.
> 
> This will turn dontaudit rules back on. semodule -B
> 
> 
>>> _______________________________________________ cloud mailing list 
>>> cloud@xxxxxxxxxxxxxxxxxxxxxxx <mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx> 
>>> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
>>> Conduct: http://fedoraproject.org/code-of-conduct
>> 
> 
> 
> _______________________________________________ cloud mailing list 
> cloud@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> Conduct: http://fedoraproject.org/code-of-conduct
> 

That AVC does not seem to be related. What AVC's did you see when you disabled
the dontaudit rules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMwIa8ACgkQrlYvE4MpobNVugCgvEP0kvjioBafwY55v86nCviV
8GAAniNKGIkb6udi5byM2RtW22tT3iVx
=aqb/
-----END PGP SIGNATURE-----
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux