After you run
semodule -DB
Does
sesearch --dontaudit
give you any output?
On 03/25/2014 03:44 AM, Juerg Haefliger wrote:
>
>
>
> On Mon, Mar 24, 2014 at 4:22 PM, Daniel J Walsh
<dwalsh@xxxxxxxxxx <mailto:dwalsh@xxxxxxxxxx>> wrote:
> >
On 03/24/2014 08:44 AM, Juerg Haefliger
wrote:
> On Mon, Mar 24, 2014 at 1:14 PM, Daniel J Walsh
<dwalsh@xxxxxxxxxx <mailto:dwalsh@xxxxxxxxxx>
> <mailto:dwalsh@xxxxxxxxxx
<mailto:dwalsh@xxxxxxxxxx>>> wrote:
>>
> On 03/24/2014 06:28 AM, Juerg Haefliger wrote:
>> On Mon, Mar 24, 2014 at 11:23 AM, Juerg Haefliger
<juergh@xxxxxxxxx <mailto:juergh@xxxxxxxxx>
>> <mailto:juergh@xxxxxxxxx
<mailto:juergh@xxxxxxxxx>> <mailto:juergh@xxxxxxxxx
<mailto:juergh@xxxxxxxxx>
>> <mailto:juergh@xxxxxxxxx
<mailto:juergh@xxxxxxxxx>>>> wrote:
>>> On Sat, Mar 22, 2014 at 11:46 AM, Daniel J Walsh
<dwalsh@xxxxxxxxxx <mailto:dwalsh@xxxxxxxxxx>
>> <mailto:dwalsh@xxxxxxxxxx
<mailto:dwalsh@xxxxxxxxxx>> <mailto:dwalsh@xxxxxxxxxx
<mailto:dwalsh@xxxxxxxxxx>
>> <mailto:dwalsh@xxxxxxxxxx
<mailto:dwalsh@xxxxxxxxxx>>>> wrote:
>>>>
>> On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
>>> Hi,
>>> I started a VM using the official F20 cloud image,
installed libvirt
>>> and its dependencies and tried to create a guest but
SELinux won't let
>>> me:
>>> [root@fedora-20 ~]# virsh create mini.xml error:
Failed to create
>>> domain from mini.xml error: Input/output error
>>> [root@fedora-20 ~]# journalctl | tail Mar 21 14:23:06
fedora-20
>>> systemd[1]: SELinux policy denies access. Mar 21
14:23:06 fedora-20
>>> systemd-machined[7210]: Failed to start machine
scope: Access denied
>>> Mar 21 14:23:06 fedora-20 libvirtd[6856]:
Input/output error
>>> [root@fedora-20 ~]# cat
/var/log/libvirt/qemu/mini.log 2014-03-21
>>> 14:23:06.740+0000: starting up LC_ALL=C
>>>
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
>>> QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name
mini -S -machine
>>> pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime
mlock=off -smp
>>> 1,sockets=1,cores=1,threads=1 -uuid
>>> 11111111-2890-2015-1f87-cbfa725b1dd3 -nographic
-no-user-config
>>> -nodefaults -chardev
>>>
socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
>>>
> -mon chardev=charmonitor,id=monitor,mode=control -rtc
base=utc
> -no-shutdown
>>> -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2
-device
>>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2
2014-03-21
>>> 14:23:06.744+0000: shutting down
>>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:281):
pid=6856 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
msg='virt=qemu vm="mini"
>>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986
>>> img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986
model=selinux
>>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
>>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:282):
pid=6856 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
msg='virt=qemu vm="mini"
>>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3
vm-ctx=107:107
>>> img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd"
hostname=? addr=?
>>> terminal=? res=success' type=USER_AVC
msg=audit(1395412399.788:283):
>>> pid=1 uid=0 auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:init_t:s0 msg='avc: denied {
start } for
>>> auid=-1 uid=-1 gid=-1
scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=service
>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
>>> type=VIRT_RESOURCE msg=audit(1395412400.015:284):
pid=6856 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
msg='virt=qemu resrc=mem
>>> reason=start vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>>> old-mem=0 new-mem=1048576 exe="/usr/sbin/libvirtd"
hostname=? addr=?
>>> terminal=? res=success' type=VIRT_RESOURCE
>>> msg=audit(1395412400.015:285): pid=6856 uid=0
auid=4294967295
>>> ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>>> msg='virt=qemu resrc=vcpu reason=start vm="mini"
>>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0
new-vcpu=1
>>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
>>> type=VIRT_CONTROL msg=audit(1395412400.015:286):
pid=6856 uid=0
>>> auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
msg='virt=qemu op=start
>>> reason=booted vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>>> vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=?
terminal=?
>>> res=failed'
>>> I'm not overly familiar with SELinux. Is this a
configuration issue?
>>> Am I missing some policy packages or could this be an
issue with the
>>> cloud image?
>>> Works fine when I disable SELinux.
>>> Google found this, but it's old and apparently
resolved:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=860235
>>> Thanks ...Juerg
>>> _______________________________________________ cloud
mailing list
>>> cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>>
>> <mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
>> <mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>>>
>>>
https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code
of
>>> Conduct: http://fedoraproject.org/code-of-conduct
>> There is no SELinux data that you posted. I don't think
your machine is
>> mislabeled. Doing the /.autorelabel dance is a waste of
time.
>> ausearch -m avc,user_avc -ts recent
>> After you have the problem, to see if SELinux posted any
error messages.
>> If there are no messages then try to turn off dontaudit
rules.
>> semodule -DB Run your test ausearch -m avc,user_avc -ts
recent
>>>>
>>>> This is all I get:
>>>>
>>>> time->Mon Mar 24 10:21:18 2014 type=USER_AVC
>>>> msg=audit(1395656478.686:22577): pid=1 uid=0
auid=4294967295
>>> ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: denied {
>>> start } for auid=-1 uid=-1 gid=-1
scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=service
>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
>>> And all of 'ausearch -ts':
>>> time->Mon Mar 24 10:26:21 2014
type=VIRT_MACHINE_ID
>>> msg=audit(1395656781.041:22605): pid=529 uid=0
auid=4294967295
>>> ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>>> msg='virt=qemu vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c135,c495
>>> img-ctx=system_u:object_r:svirt_image_t:s0:c135,c495
model=selinux
>>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
>>> ---- time->Mon Mar 24 10:26:21 2014
type=VIRT_MACHINE_ID
>>> msg=audit(1395656781.041:22606): pid=529 uid=0
auid=4294967295
>>> ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>>> msg='virt=qemu vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>>> vm-ctx=107:107 img-ctx=107:107 model=dac
exe="/usr/sbin/libvirtd"
>>> hostname=? addr=? terminal=? res=success' ----
time->Mon Mar 24
>>> 10:26:21 2014 type=USER_AVC
msg=audit(1395656781.044:22607): pid=1
>>> uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0
>>> msg='avc: denied { start } for auid=-1 uid=-1
gid=-1
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=service
>>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=? terminal=?'
>>> ---- time->Mon Mar 24 10:26:21 2014
type=VIRT_RESOURCE
>>> msg=audit(1395656781.285:22608): pid=529 uid=0
auid=4294967295
>>> ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>>> msg='virt=qemu resrc=mem reason=start vm="mini"
>>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0
new-mem=1048576
>>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
>>> ---- time->Mon Mar 24 10:26:21 2014
type=VIRT_RESOURCE
>>> msg=audit(1395656781.285:22609): pid=529 uid=0
auid=4294967295
>>> ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>>> msg='virt=qemu resrc=vcpu reason=start vm="mini"
>>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0
new-vcpu=1
>>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
>>> ---- time->Mon Mar 24 10:26:21 2014
type=VIRT_CONTROL
>>> msg=audit(1395656781.286:22610): pid=529 uid=0
auid=4294967295
>>> ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>>> msg='virt=qemu op=start reason=booted vm="mini"
>>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1
>>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=failed'
>>>>
>>>>
>>>>
>> And look for messages about virt.
>> This will turn dontaudit rules back on. semodule -B
>>>> _______________________________________________
cloud mailing list
>>>> cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>>
>> <mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
>> <mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>>>
>>>>
https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code
>>>> of Conduct:
http://fedoraproject.org/code-of-conduct
>> _______________________________________________ cloud
mailing list
>> cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>>
>> https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of
>> Conduct: http://fedoraproject.org/code-of-conduct
> That AVC does not seem to be related. What AVC's did you see
when you
> disabled the dontaudit rules.
>> There's only one (the last one) with enabled and disabled
dontaudit
>> rules:
>> [root@fedora-20 ~]# semodule -DB ; date ; virsh create
mini.xml ;
>> ausearch -m avc,user_avc -ts recent | tail -n 9 Mon Mar
24 12:44:17 UTC
>> 2014 error: Failed to create domain from mini.xml error:
Input/output
>> error
>> ---- time->Mon Mar 24 12:42:29 2014 type=USER_AVC
>> msg=audit(1395664949.793:23448): pid=1 uid=0
auid=4294967295
>> ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: denied {
>> start } for auid=-1 uid=-1 gid=-1
scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=service
>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'
>> ---- time->Mon Mar 24 12:44:17 2014 type=USER_AVC
>> msg=audit(1395665057.999:23463): pid=1 uid=0
auid=4294967295
>> ses=4294967295 subj=system_u:system_r:init_t:s0
msg='avc: received
>> policyload notice (seqno=5)
exe="/usr/lib/systemd/systemd" sauid=0
>> hostname=? addr=? terminal=?' ---- time->Mon Mar 24
12:44:18 2014
>> type=USER_AVC msg=audit(1395665058.000:23464): pid=1
uid=0
>> auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0
>> msg='avc: denied { start } for auid=-1 uid=-1 gid=-1
>> scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0
>> tclass=service exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=?
>> terminal=?'
>> _______________________________________________ cloud
mailing list
>> cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>>
>> https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of
>> Conduct: http://fedoraproject.org/code-of-conduct
> _______________________________________________ cloud mailing
list
> cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora
Code of
> Conduct: http://fedoraproject.org/code-of-conduct
If you successfully disabled dontaudit rules, you shouldbe seeing
a lot more
messages.
> How do I check that? I issued 'semodule -DB', it took a while
to run but didn't return any error.
> Just tried the whole sequence again but all I get is the one
USER_AVC message.
> What am I missing?
> >
_______________________________________________
> > cloud mailing list
> > cloud@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:cloud@xxxxxxxxxxxxxxxxxxxxxxx>
> > https://admin.fedoraproject.org/mailman/listinfo/cloud
> > Fedora Code of Conduct:
http://fedoraproject.org/code-of-conduct
>
>
>
> _______________________________________________
> cloud mailing list
> cloud@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/cloud
> Fedora Code of Conduct:
http://fedoraproject.org/code-of-conduct
|
