Re: [PATCH] Don't use O_TRUNC when opening QEMU logfiles

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Sep 21, 2012 at 01:00:26PM +0100, Daniel P. Berrange wrote:
> On Fri, Sep 21, 2012 at 12:54:25PM +0100, Richard W.M. Jones wrote:
> > 
> > On Fri, Sep 21, 2012 at 10:39:19AM +0100, Daniel P. Berrange wrote:
> > > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> > > 
> > > SELinux wants all log files opened with O_APPEND. When
> > > running non-root though, libvirtd likes to use O_TRUNC
> > > to avoid log files growing in size indefinitely. Instead
> > > of using O_TRUNC though, we can use O_APPEND and then
> > > call ftruncate() which keeps SELinux happier.
> > 
> > As far as I can see, although this patch doesn't break anything, it
> > doesn't fix the SELinux problem either.  SELinux still prevents qemu
> > from writing to the log.  The AVCs look the same as before:
> > 
> > type=AVC msg=audit(1348227948.158:14174): avc:  denied  { append } for  pid=13139 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-wd6efsxohmy5jd2s.log" dev="dm-5" ino=1870215 scontext=unconfined_u:unconfined_r:svirt_t:s0:c69,c512 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
> > type=AVC msg=audit(1348227948.158:14174): avc:  denied  { append } for  pid=13139 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-wd6efsxohmy5jd2s.log" dev="dm-5" ino=1870215 scontext=unconfined_u:unconfined_r:svirt_t:s0:c69,c512 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
> 
> The target context here is unconfined_u:object_r:cache_home_t:s0 which
> is wrong. The context ought to be virt_home_t instead of cache_home_t.
> Try changing the libvirt directories to have virt_home_t as their type.
> Then my patch ought to do something useful.

This is correct: relabelling the log directory causes the patch to
work.

> We need to check if SELinux policy knows about $HOME/.cache/libvirt
> and $HOME/.config/libvirt, or whether it still only considers the
> old location of $HOME/.libvirt

I've filed a bug against SELinux:

https://bugzilla.redhat.com/show_bug.cgi?id=859395

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]