On 11/15/2013 09:02 AM, Gabriele Pohl wrote:
> Hi,
>
> I use Munin plugin diskwatch to monitor a KVM-Host and am getting AVC
> denials at access to logical volumes labeled with type "svirt_image_t"
>
> --------- snip ---------
>
> Nov 15 14:33:10 servername setroubleshoot: SELinux is preventing
> /usr/bin/perl from getattr access on the blk_file /dev/dm-2. For complete
> SELinux messages. run sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d
>
> # sealert -l 2b08f291-13be-4b09-878a-96cccc4c336d SELinux is preventing
> /usr/bin/perl from getattr access on the blk_file /dev/dm-2.
>
> ***** Plugin restorecon (99.5 confidence) suggests
> *************************
>
> If you want to fix the label. /dev/dm-2 default label should be
> fixed_disk_device_t. Then you can run restorecon. Do # /sbin/restorecon -v
> /dev/dm-2
>
> --------- snip ---------
>
> I setup the guests disk storage as logical volume. And all of these are
> labeled with svirt_image_t as you see here:
>
> # ls -lZ /dev/dm* brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-0 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-1 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-10 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-11 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-12 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-13 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-14 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-16 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-17 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-18 brw-rw----. root disk
> system_u:object_r:fixed_disk_device_t:s0 /dev/dm-19 brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-2 brw-rw----. root
> disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-20 brw-rw----. root
> disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-21 brw-rw----. qemu
> qemu system_u:object_r:svirt_image_t:s0:c119,c1011 /dev/dm-3 brw-rw----.
> qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985 /dev/dm-4
> brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c272,c985
> /dev/dm-5 brw-rw----. qemu qemu
> system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-6 brw-rw----. qemu
> qemu system_u:object_r:svirt_image_t:s0:c224,c455 /dev/dm-7 brw-rw----.
> root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-8 brw-rw----.
> root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-9
>
> Should I really change the label or will that make problems for qemu? Is it
> ok to grant access privileges to munin_disk_plugin_t ?
>
> @drjohnson1: Will you then please add the following rules to SELinux policy
> of munin-node:
>
> -------------------------------- module diskwatch-pol 1.0;
>
> require { type svirt_image_t; type munin_disk_plugin_t; class blk_file
> getattr; }
>
> #============= munin_disk_plugin_t ============== allow munin_disk_plugin_t
> svirt_image_t:blk_file getattr; --------------------------------
>
> Thanks for your advice and kind regards,
>
> Gabriele
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
The allow rule is the proper thing to add.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
