blob: 5f1c617d915dd670fe7e340889ed1a4de61a6ee1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
register: 0.721
graphic: 0.718
mistranslation: 0.696
hypervisor: 0.691
semantic: 0.689
debug: 0.688
TCG: 0.688
ppc: 0.687
performance: 0.685
PID: 0.679
socket: 0.678
permissions: 0.677
KVM: 0.666
assembly: 0.666
peripherals: 0.666
device: 0.664
VMM: 0.661
network: 0.660
kernel: 0.659
virtual: 0.657
arm: 0.657
x86: 0.651
risc-v: 0.648
architecture: 0.645
files: 0.639
user-level: 0.631
vnc: 0.623
i386: 0.601
boot: 0.595
SELinux is preventing some qemu-kvm operations on CentOS Stream 9
Description of problem:
Some operations are being denied by SELinux.
First it was read access on file max_map_count, then open and getattr access on /proc/sys/vm/max_map_count (same file but with full path).
All have been fixed by creating and applying a semodule with the TE policy shown on "Additional Information" below.
```
May 2 18:01:00 rd02 setroubleshoot[14757]: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count. For complete SELinux messages run: sealert -l c92d5506-0b40-4bc8-be6a-133fe360014d
May 2 18:01:00 rd02 setroubleshoot[14757]: SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count.#012#012***** Plugin qemu_file_image (98.8 confidence) suggests *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t 'max_map_count'#012# restorecon -v 'max_map_count'#012#012***** Plugin catchall (2.13 confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed read access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
---
May 3 10:24:58 rd02 setroubleshoot[3981]: SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /proc/sys/vm/max_map_count. For complete SELinux messages run: sealert -l 655af27c-6bc7-4278-9aad-7fc99929d24b
May 3 10:24:58 rd02 setroubleshoot[3981]: SELinux is preventing /usr/libexec/qemu-kvm from open access on the file /proc/sys/vm/max_map_count.#012#012***** Plugin qemu_file_image (98.8 confidence) suggests *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t '/proc/sys/vm/max_map_count'#012# restorecon -v '/proc/sys/vm/max_map_count'#012#012***** Plugin catchall (2.13 confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed open access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
---
May 3 10:41:17 rd02 setroubleshoot[6894]: SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /proc/sys/vm/max_map_count. For complete SELinux messages run: sealert -l db78c5b9-3890-44d4-a40e-d4011ad42913
May 3 10:41:17 rd02 setroubleshoot[6894]: SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /proc/sys/vm/max_map_count.#012#012***** Plugin qemu_file_image (98.8 confidence) suggests *******************#012#012If max_map_count is a virtualization target#012Then you need to change the label on max_map_count'#012Do#012# semanage fcontext -a -t virt_image_t '/proc/sys/vm/max_map_count'#012# restorecon -v '/proc/sys/vm/max_map_count'#012#012***** Plugin catchall (2.13 confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed getattr access on the max_map_count file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
```
Steps to reproduce:
1. On a CentOS Stream 9 system with a selinux enforced, create a VM and install an OS with cockpit or with virt-install.
- example with virt-install:
`virt-install --connect qemu:///system --os-variant centos-stream9 --reinstall ipa03 --wait -1 --location /mnt/CentOS-Stream9.iso`
2. Check the SELinux logs, either on cockpit or on /var/log/messages
Additional information:
TE module that solved the issue, created with `ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm`
```
module my-qemukvm 1.1;
require {
type sysctl_vm_t;
type svirt_t;
class file { getattr open read };
}
#============= svirt_t ==============
#!!!! This avc is allowed in the current policy
allow svirt_t sysctl_vm_t:file read;
allow svirt_t sysctl_vm_t:file { getattr open };
```
|