diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:07 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-05-30 16:52:17 +0200 |
| commit | 9260319e7411ff8281700a532caa436f40120ec4 (patch) | |
| tree | 2f6bfe5f3458dd49d328d3a9eb508595450adec0 /gitlab/issues/target_missing/host_missing/accel_KVM/2324.toml | |
| parent | 225caa38269323af1bfc2daadff5ec8bd930747f (diff) | |
| download | qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.tar.gz qemu-analysis-9260319e7411ff8281700a532caa436f40120ec4.zip | |
gitlab scraper: download in toml and text format
Diffstat (limited to 'gitlab/issues/target_missing/host_missing/accel_KVM/2324.toml')
| -rw-r--r-- | gitlab/issues/target_missing/host_missing/accel_KVM/2324.toml | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/gitlab/issues/target_missing/host_missing/accel_KVM/2324.toml b/gitlab/issues/target_missing/host_missing/accel_KVM/2324.toml deleted file mode 100644 index 47b0c1b2b..000000000 --- a/gitlab/issues/target_missing/host_missing/accel_KVM/2324.toml +++ /dev/null @@ -1,55 +0,0 @@ -id = 2324 -title = "SELinux is preventing some qemu-kvm operations on CentOS Stream 9" -state = "opened" -created_at = "2024-05-03T16:50:08.899Z" -closed_at = "n/a" -labels = ["accel: KVM"] -url = "https://gitlab.com/qemu-project/qemu/-/issues/2324" -host-os = "CentOS Stream release 9" -host-arch = "x86_64" -qemu-version = "qemu-img version 8.2.0 (qemu-kvm-8.2.0-11.el9)" -guest-os = "CentOS Stream release 9" -guest-arch = "x86_64" -description = """Some operations are being denied by SELinux. - -First it was read access on file max_map_count, then open and getattr access on /proc/sys/vm/max_map_count (same file but with full path). - -All have been fixed by creating and applying a semodule with the TE policy shown on "Additional Information" below. - -``` -May 2 18:01:00 rd02 setroubleshoot[14757]: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count. For complete SELinux messages run: sealert -l c92d5506-0b40-4bc8-be6a-133fe360014d -May 2 18:01:00 rd02 setroubleshoot[14757]: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count.#012#012***** Plugin qemu_file_image (98.8 confidence) suggests *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t 'max_map_count'#012# restorecon -v 'max_map_count'#012#012***** Plugin catchall (2.13 confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed read access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012 - ---- - -May 3 10:24:58 rd02 setroubleshoot[3981]: SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /proc/sys/vm/max_map_count. For complete SELinux messages run: sealert -l 655af27c-6bc7-4278-9aad-7fc99929d24b -May 3 10:24:58 rd02 setroubleshoot[3981]: SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /proc/sys/vm/max_map_count.#012#012***** Plugin qemu_file_image (98.8 confidence) suggests *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t '/proc/sys/vm/max_map_count'#012# restorecon -v '/proc/sys/vm/max_map_count'#012#012***** Plugin catchall (2.13 confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed open access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012 - ---- - -May 3 10:41:17 rd02 setroubleshoot[6894]: SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /proc/sys/vm/max_map_count. For complete SELinux messages run: sealert -l db78c5b9-3890-44d4-a40e-d4011ad42913 -May 3 10:41:17 rd02 setroubleshoot[6894]: SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /proc/sys/vm/max_map_count.#012#012***** Plugin qemu_file_image (98.8 confidence) suggests *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t '/proc/sys/vm/max_map_count'#012# restorecon -v '/proc/sys/vm/max_map_count'#012#012***** Plugin catchall (2.13 confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed getattr access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012 - - -```""" -reproduce = """1. On a CentOS Stream 9 system with a selinux enforced, create a VM and install an OS with cockpit or with virt-install. - - example with virt-install: - `virt-install --connect qemu:///system --os-variant centos-stream9 --reinstall ipa03 --wait -1 --location /mnt/CentOS-Stream9.iso` -2. Check the SELinux logs, either on cockpit or on /var/log/messages""" -additional = """TE module that solved the issue, created with `ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm` - -``` -module my-qemukvm 1.1; - -require { - type sysctl_vm_t; - type svirt_t; - class file { getattr open read }; -} - -#============= svirt_t ============== - -#!!!! This avc is allowed in the current policy -allow svirt_t sysctl_vm_t:file read; -allow svirt_t sysctl_vm_t:file { getattr open }; -```""" |