From: Eric Paris <eparis@redhat.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>, SELinux <selinux@tycho.nsa.gov>
Subject: Re: svirt on MLS has strange AVC.
Date: Mon, 22 Mar 2010 19:47:52 -0400 [thread overview]
Message-ID: <1269301672.2911.31.camel@localhost> (raw)
In-Reply-To: <4BA7E4BF.1040002@redhat.com>
On Mon, 2010-03-22 at 17:44 -0400, Daniel J Walsh wrote:
> time->Mon Mar 22 17:31:49 2010
> type=SYSCALL msg=audit(1269293509.223:4753): arch=c000003e syscall=1
> success=no exit=-13 a0=11 a1=1d2a9c8 a2=10 a3=fffffff2 items=0 ppid=1
> pid=28549 auid=0 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107
> sgid=107 fsgid=107 tty=(none) ses=7 comm="qemu-kvm"
> exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c1 key=(null)
> type=AVC msg=audit(1269293509.223:4753): avc: denied { write } for
> pid=28549 comm="qemu-kvm" path="socket:[4417531]" dev=sockfs ino=4417531
> scontext=system_u:system_r:svirt_t:s0:c1
> tcontext=system_u:system_r:svirt_t:s0-s15:c0.c1023 tclass=unix_stream_socket
>
> I have Static Virtualization working on an MLS box except for this
> strange AVC.
>
> This looks like the kernel is confused? I believe that all svirt
> processes are running as s0:c1 and yet this AVC indicates svirt_t:s0.c1
> is trying to write to a unix_stream_socket running as
> svirt_t:s0-s15:c0.c1023.
>
> # ps -eZ | grep virt
> system_u:system_r:virtd_t:s0-s15:c0.c1023 27344 ? 05:34:47 libvirtd
> system_u:system_r:svirt_t:s0:c1 28549 ? 00:00:01 qemu-kvm
>
> Could the kernel be getting confused in to thinking libvirtd is svirt_t?
>
> # ls -lZ /proc/28549/fd/ | grep 4417531
> lrwx------. qemu qemu system_u:system_r:svirt_t:s0:c1 17 ->
> socket:[4417531]
>
> lsof | grep 4417531
> qemu-kvm 28549 qemu 17u unix 0xffff88003e1f7900 0t0
> 4417531 /var/lib/libvirt/qemu/xguest.monitor
>
> # lsof /var/lib/libvirt/qemu/xguest.monitor
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> qemu-kvm 28549 qemu 3u unix 0xffff88003a853000 0t0 4417518
> /var/lib/libvirt/qemu/xguest.monitor
> qemu-kvm 28549 qemu 17u unix 0xffff88003e1f7900 0t0 4417531
> /var/lib/libvirt/qemu/xguest.monitor
>
> So it looks like we have a process that is running as both labels?
This is a check between the type of the process and that of the socket
itself, not between 2 processes. So, the type of the socket is wrong.
Just as a question, what does ls -lZ /var/lib/libvirt/qemu/ show?
c0-c1023 for xguest.monitor? What created that socket? Did they get it
correct? (I admit it looks correct on my F13ish system)
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-03-22 23:47 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-22 21:44 svirt on MLS has strange AVC Daniel J Walsh
2010-03-22 23:47 ` Eric Paris [this message]
2010-03-23 11:35 ` Daniel J Walsh
2010-03-23 11:44 ` Daniel P. Berrange
2010-03-25 2:42 ` Eric Paris
2010-03-25 9:45 ` Daniel P. Berrange
2010-03-25 14:02 ` Stephen Smalley
2010-03-25 16:49 ` Paul Moore
2010-03-25 18:00 ` Daniel J Walsh
2010-03-25 18:17 ` Stephen Smalley
2010-03-25 19:02 ` Eric Paris
2010-03-25 22:06 ` Paul Moore
2010-03-25 22:09 ` Daniel P. Berrange
[not found] ` <1269612002.2980.69.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:54 ` Paul Moore
2010-03-29 17:06 ` Eric Paris
2010-03-25 18:06 ` Stephen Smalley
2010-03-25 18:11 ` Daniel J Walsh
2010-03-25 18:19 ` Stephen Smalley
2010-03-25 18:23 ` Eric Paris
2010-03-25 18:34 ` Stephen Smalley
2010-03-25 18:45 ` Eric Paris
2010-03-25 21:36 ` Paul Moore
[not found] ` <1269610923.2980.51.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:47 ` Paul Moore
2010-03-29 18:29 ` Eric Paris
2010-03-29 17:05 ` Eric Paris
2010-03-25 18:29 ` Eric Paris
[not found] ` <201003291600.06024.paul.moore@hp.com>
[not found] ` <4BB20E8D.7030207@redhat.com>
2010-03-30 18:07 ` Paul Moore
2010-03-30 18:20 ` Eric Paris
2010-03-30 18:23 ` Daniel J Walsh
2010-03-30 18:39 ` Paul Moore
2010-03-30 18:56 ` Paul Moore
2010-03-30 19:13 ` Daniel J Walsh
2010-03-30 19:22 ` Paul Moore
2010-03-30 19:31 ` Daniel J Walsh
2010-03-30 19:38 ` Stephen Smalley
[not found] ` <1269959533.2941.9.camel@dhcp235-240.rdu.redhat.com>
2010-03-30 18:23 ` Paul Moore
2010-03-30 19:20 ` Stephen Smalley
2010-03-30 20:17 ` Eric Paris
2010-03-30 20:23 ` Stephen Smalley
2010-03-30 20:30 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1269301672.2911.31.camel@localhost \
--to=eparis@redhat.com \
--cc=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.