Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451673 - SELinux prevented qemu-kvm from reading files stored on a NFS filesytem.
Summary: SELinux prevented qemu-kvm from reading files stored on a NFS filesytem.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-16 16:20 UTC by Martin Nagy
Modified: 2016-07-26 23:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:04:40 UTC


Attachments (Terms of Use)

Description Martin Nagy 2008-06-16 16:20:00 UTC
Description of problem:
SELinux is preventing qemu-kvm access to NFS filesystem when I was installing a
new system and wanted to use a DVD iso for installation, which was placed on a
NFS filesystem.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-55.fc9

How reproducible:
Install a new machine and use a DVD iso placed on a NFS filesystem.
  
Actual results:
Raw Audit Messages:
host=wolverine type=AVC msg=audit(1213015944.378:993): avc: denied { read } for
pid=13007 comm="qemu" name="Fedora-9-i386-DVD.iso" dev=0:16 ino=4398103
scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=file host=wolverine type=SYSCALL msg=audit(1213015944.378:993):
arch=c000003e syscall=2 success=yes exit=4 a0=7fff07efae20 a1=0 a2=1a4
a3=39edf67a70 items=0 ppid=12358 pid=13007 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=22 comm="qemu" exe="/usr/bin/qemu"
subj=unconfined_u:system_r:qemu_t:s0 key=(null) 

Some more:
Raw Audit Messages:
host=wolverine type=AVC msg=audit(1213015944.378:992): avc: denied { read } for
pid=13007 comm="qemu" name="i386" dev=0:16 ino=6956855
scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=lnk_file host=wolverine type=AVC msg=audit(1213015944.378:992): avc:
denied { getattr } for pid=13007 comm="qemu"
path="/mnt/mirror/fedora/9/Fedora/i386/iso/Fedora-9-i386-DVD.iso" dev=0:16
ino=4398103 scontext=unconfined_u:system_r:qemu_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file host=wolverine type=SYSCALL
msg=audit(1213015944.378:992): arch=c000003e syscall=4 success=yes exit=0
a0=7fff07efae20 a1=7fff07ef8410 a2=7fff07ef8410 a3=0 items=0 ppid=12358
pid=13007 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=22 comm="qemu" exe="/usr/bin/qemu"
subj=unconfined_u:system_r:qemu_t:s0 key=(null) 

Expected results:
No such messages.

Additional info:

Comment 1 Daniel Walsh 2008-06-22 12:20:40 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-68.fc9.noarch

Comment 2 Daniel Walsh 2008-11-17 22:04:40 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.


Note You need to log in before you can comment on or make changes to this bug.