Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm
now seeing errors when running a virtual machine via KVM.
The image was created in virt-install quite a while ago:
-rwxr-xr-x root root system_u:object_r:xen_image_t XP1
However, after changing to enforcing mode I saw lots of these errors:
Summary:
SELinux is preventing qemu-kvm (qemu_t) "write" to /var/lib/xen/images/XP1
(xen_image_t).
Detailed Description:
SELinux denied access requested by qemu-kvm. It is not expected that
this access
is required by qemu-kvm and this access may signal an intrusion
attempt. It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try
to restore
the default system file context for /var/lib/xen/images/XP1,
restorecon -v '/var/lib/xen/images/XP1'
If this does not work, there is currently no automatic way to allow
this access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:qemu_t
Target Context user_u:object_r:xen_image_t
Target Objects /var/lib/xen/images/XP1 [ file ]
Source qemu-kvm
Source Path /usr/bin/qemu-kvm
Port <Unknown>
Host saintloup.smith.man.ac.uk
Source RPM Packages kvm-65-7.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-64.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name saintloup.smith.man.ac.uk
Platform Linux saintloup.smith.man.ac.uk
2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10
16:05:21
EDT 2008 x86_64 x86_64
Alert Count 105
First Seen Tue 24 Jun 2008 11:14:08 BST
Last Seen Tue 24 Jun 2008 11:15:23 BST
Local ID ae1ef75a-23f4-495d-af20-604d56fa2cde
Line Numbers
Raw Audit Messages
host=saintloup.smith.man.ac.uk type=AVC
msg=audit(1214302523.807:45871): avc: denied { write } for pid=6827
comm="qemu-kvm" path="/var/lib/xen/images/XP1" dev=dm-6 ino=2621983
scontext=system_u:system_r:qemu_t:s0
tcontext=user_u:object_r:xen_image_t:s0 tclass=file
host=saintloup.smith.man.ac.uk type=SYSCALL
msg=audit(1214302523.807:45871): arch=c000003e syscall=1 success=no
exit=-13 a0=5 a1=364ea00 a2=200 a3=1 items=0 ppid=3284 pid=6827
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
I received a permission denied error when I tried manually to change the
file to system_u:system_r:qemu_t and restorecon -v doesn't seem to do
anything.
Adam
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
