summary refs log tree commit diff stats
path: root/results/classifier/zero-shot/105/other/2324
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/zero-shot/105/other/2324')
-rw-r--r--results/classifier/zero-shot/105/other/232460
1 files changed, 60 insertions, 0 deletions
diff --git a/results/classifier/zero-shot/105/other/2324 b/results/classifier/zero-shot/105/other/2324
new file mode 100644
index 000000000..40cabdf4f
--- /dev/null
+++ b/results/classifier/zero-shot/105/other/2324
@@ -0,0 +1,60 @@
+other: 0.795
+graphic: 0.718
+instruction: 0.708
+mistranslation: 0.696
+semantic: 0.689
+socket: 0.678
+KVM: 0.666
+assembly: 0.666
+device: 0.664
+network: 0.660
+vnc: 0.623
+boot: 0.595
+
+SELinux is preventing some qemu-kvm operations on CentOS Stream 9
+Description of problem:
+Some operations are being denied by SELinux.
+
+First it was read access on file max_map_count, then open and getattr access on /proc/sys/vm/max_map_count (same file but with full path).
+
+All have been fixed by creating and applying a semodule with the TE policy shown on "Additional Information" below.
+
+```
+May  2 18:01:00 rd02 setroubleshoot[14757]: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count. For complete SELinux messages run: sealert -l c92d5506-0b40-4bc8-be6a-133fe360014d
+May  2 18:01:00 rd02 setroubleshoot[14757]: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count.#012#012*****  Plugin qemu_file_image (98.8 confidence) suggests   *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t 'max_map_count'#012# restorecon -v 'max_map_count'#012#012*****  Plugin catchall (2.13 confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed read access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
+
+---
+
+May  3 10:24:58 rd02 setroubleshoot[3981]: SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /proc/sys/vm/max_map_count. For complete SELinux messages run: sealert -l 655af27c-6bc7-4278-9aad-7fc99929d24b
+May  3 10:24:58 rd02 setroubleshoot[3981]: SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /proc/sys/vm/max_map_count.#012#012*****  Plugin qemu_file_image (98.8 confidence) suggests   *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t '/proc/sys/vm/max_map_count'#012# restorecon -v '/proc/sys/vm/max_map_count'#012#012*****  Plugin catchall (2.13 confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed open access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
+
+---
+
+May  3 10:41:17 rd02 setroubleshoot[6894]: SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /proc/sys/vm/max_map_count. For complete SELinux messages run: sealert -l db78c5b9-3890-44d4-a40e-d4011ad42913
+May  3 10:41:17 rd02 setroubleshoot[6894]: SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /proc/sys/vm/max_map_count.#012#012*****  Plugin qemu_file_image (98.8 confidence) suggests   *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t '/proc/sys/vm/max_map_count'#012# restorecon -v '/proc/sys/vm/max_map_count'#012#012*****  Plugin catchall (2.13 confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed getattr access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
+
+
+```
+Steps to reproduce:
+1. On a CentOS Stream 9 system with a selinux enforced, create a VM and install an OS with cockpit or with virt-install.    
+        - example with virt-install:    
+                  `virt-install --connect qemu:///system --os-variant centos-stream9 --reinstall ipa03 --wait -1 --location  /mnt/CentOS-Stream9.iso`
+2. Check the SELinux logs, either on cockpit or on /var/log/messages
+Additional information:
+TE module that solved the issue, created with `ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm`
+
+```
+module my-qemukvm 1.1;
+
+require {
+        type sysctl_vm_t;
+        type svirt_t;
+        class file { getattr open read };
+}
+
+#============= svirt_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow svirt_t sysctl_vm_t:file read;
+allow svirt_t sysctl_vm_t:file { getattr open };
+```