On Wed, Mar 26, 2014 at 9:09 PM, Daniel J Walsh <dwa...@redhat.com> wrote: > > After you run > > semodule -DB > > Does > > sesearch --dontaudit > > give you any output?
'sesearch --dontaudit' after 'semodule -B' returns a list with 7646 lines. 'sesearch --dontaudit' after 'semodule -DB' returns nothing: [root@fedora-20 fedora]# semodule -DB [root@fedora-20 fedora]# sesearch --dontaudit [root@fedora-20 fedora]# > > On 03/25/2014 03:44 AM, Juerg Haefliger wrote: > > > > > > > > > On Mon, Mar 24, 2014 at 4:22 PM, Daniel J Walsh <dwa...@redhat.com<mailto: dwa...@redhat.com>> wrote: > > > > > On 03/24/2014 08:44 AM, Juerg Haefliger wrote: > > > > > On Mon, Mar 24, 2014 at 1:14 PM, Daniel J Walsh <dwa...@redhat.com<mailto: dwa...@redhat.com> > > <mailto:dwa...@redhat.com <mailto:dwa...@redhat.com>>> wrote: > >> > > On 03/24/2014 06:28 AM, Juerg Haefliger wrote: > > > > >> On Mon, Mar 24, 2014 at 11:23 AM, Juerg Haefliger <jue...@gmail.com<mailto: jue...@gmail.com> > >> <mailto:jue...@gmail.com <mailto:jue...@gmail.com>> <mailto: jue...@gmail.com <mailto:jue...@gmail.com> > > >> <mailto:jue...@gmail.com <mailto:jue...@gmail.com>>>> wrote: > > > > > >>> On Sat, Mar 22, 2014 at 11:46 AM, Daniel J Walsh > >>> <dwa...@redhat.com<mailto: dwa...@redhat.com> > >> <mailto:dwa...@redhat.com <mailto:dwa...@redhat.com>> <mailto: dwa...@redhat.com <mailto:dwa...@redhat.com> > > >> <mailto:dwa...@redhat.com <mailto:dwa...@redhat.com>>>> wrote: > >>>> > >> On 03/21/2014 10:36 AM, Juerg Haefliger wrote: > >>> Hi, > > >>> I started a VM using the official F20 cloud image, installed libvirt > >>> and its dependencies and tried to create a guest but SELinux won't let > >>> me: > > >>> [root@fedora-20 ~]# virsh create mini.xml error: Failed to create > >>> domain from mini.xml error: Input/output error > > >>> [root@fedora-20 ~]# journalctl | tail Mar 21 14:23:06 fedora-20 > >>> systemd[1]: SELinux policy denies access. Mar 21 14:23:06 fedora-20 > >>> systemd-machined[7210]: Failed to start machine scope: Access denied > >>> Mar 21 14:23:06 fedora-20 libvirtd[6856]: Input/output error > > >>> [root@fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log 2014-03-21 > >>> 14:23:06.740+0000: starting up LC_ALL=C > >>> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin > >>> QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name mini -S -machine > >>> pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp > >>> 1,sockets=1,cores=1,threads=1 -uuid > >>> 11111111-2890-2015-1f87-cbfa725b1dd3 -nographic -no-user-config > >>> -nodefaults -chardev > >>> socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait > > >>> > > > -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc > > -no-shutdown > >>> -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device > >>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 2014-03-21 > >>> 14:23:06.744+0000: shutting down > > > >>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:281): pid=6856 uid=0 > >>> auid=4294967295 ses=4294967295 > >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini" > >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 > >>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986 > >>> img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986 model=selinux > >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' > >>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:282): pid=6856 uid=0 > >>> auid=4294967295 ses=4294967295 > >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini" > >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107 > >>> img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? > >>> terminal=? res=success' type=USER_AVC msg=audit(1395412399.788:283): > >>> pid=1 uid=0 auid=4294967295 ses=4294967295 > >>> subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for > >>> auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0 > >>> tcontext=system_u:system_r:init_t:s0 tclass=service > >>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' > >>> type=VIRT_RESOURCE msg=audit(1395412400.015:284): pid=6856 uid=0 > >>> auid=4294967295 ses=4294967295 > >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem > >>> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 > >>> old-mem=0 new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=? > >>> terminal=? res=success' type=VIRT_RESOURCE > >>> msg=audit(1395412400.015:285): pid=6856 uid=0 auid=4294967295 > >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 > >>> msg='virt=qemu resrc=vcpu reason=start vm="mini" > >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0 new-vcpu=1 > >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' > >>> type=VIRT_CONTROL msg=audit(1395412400.015:286): pid=6856 uid=0 > >>> auid=4294967295 ses=4294967295 > >>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start > >>> reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 > >>> vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? > >>> res=failed' > > >>> I'm not overly familiar with SELinux. Is this a configuration issue? > >>> Am I missing some policy packages or could this be an issue with the > >>> cloud image? > > >>> Works fine when I disable SELinux. > > >>> Google found this, but it's old and apparently resolved: > >>> https://bugzilla.redhat.com/show_bug.cgi?id=860235 > > >>> Thanks ...Juerg > > > > >>> _______________________________________________ cloud mailing list > >>> cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org> <mailto:cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org >> > >> <mailto:cloud@lists.fedoraproject.org <mailto: cloud@lists.fedoraproject.org> > >> <mailto:cloud@lists.fedoraproject.org <mailto: cloud@lists.fedoraproject.org>>> > > >>> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of > >>> Conduct: http://fedoraproject.org/code-of-conduct > > > >> There is no SELinux data that you posted. I don't think your machine is > >> mislabeled. Doing the /.autorelabel dance is a waste of time. > > >> ausearch -m avc,user_avc -ts recent > > >> After you have the problem, to see if SELinux posted any error messages. > > >> If there are no messages then try to turn off dontaudit rules. > > >> semodule -DB Run your test ausearch -m avc,user_avc -ts recent > > >>>> > >>>> This is all I get: > >>>> > >>>> time->Mon Mar 24 10:21:18 2014 type=USER_AVC > >>>> msg=audit(1395656478.686:22577): pid=1 uid=0 auid=4294967295 > >>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { > >>> start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0 > >>> tcontext=system_u:system_r:init_t:s0 tclass=service > >>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' > > > >>> And all of 'ausearch -ts': > > >>> time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID > >>> msg=audit(1395656781.041:22605): pid=529 uid=0 auid=4294967295 > >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 > >>> msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 > >>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c135,c495 > >>> img-ctx=system_u:object_r:svirt_image_t:s0:c135,c495 model=selinux > >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' > >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID > >>> msg=audit(1395656781.041:22606): pid=529 uid=0 auid=4294967295 > >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 > >>> msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 > >>> vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd" > >>> hostname=? addr=? terminal=? res=success' ---- time->Mon Mar 24 > >>> 10:26:21 2014 type=USER_AVC msg=audit(1395656781.044:22607): pid=1 > >>> uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 > >>> msg='avc: denied { start } for auid=-1 uid=-1 gid=-1 > >>> scontext=system_u:system_r:init_t:s0 > >>> tcontext=system_u:system_r:init_t:s0 tclass=service > >>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' > >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE > >>> msg=audit(1395656781.285:22608): pid=529 uid=0 auid=4294967295 > >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 > >>> msg='virt=qemu resrc=mem reason=start vm="mini" > >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0 new-mem=1048576 > >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' > >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE > >>> msg=audit(1395656781.285:22609): pid=529 uid=0 auid=4294967295 > >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 > >>> msg='virt=qemu resrc=vcpu reason=start vm="mini" > >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0 new-vcpu=1 > >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' > >>> ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_CONTROL > >>> msg=audit(1395656781.286:22610): pid=529 uid=0 auid=4294967295 > >>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 > >>> msg='virt=qemu op=start reason=booted vm="mini" > >>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1 > >>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed' > > > >>>> > >>>> > >>>> > >> And look for messages about virt. > > >> This will turn dontaudit rules back on. semodule -B > > > >>>> _______________________________________________ cloud mailing list > >>>> cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org> <mailto:cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org >> > >> <mailto:cloud@lists.fedoraproject.org <mailto: cloud@lists.fedoraproject.org> > >> <mailto:cloud@lists.fedoraproject.org <mailto: cloud@lists.fedoraproject.org>>> > > >>>> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code > >>>> of Conduct: http://fedoraproject.org/code-of-conduct > > > > >> _______________________________________________ cloud mailing list > >> cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org> <mailto:cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org >> > >> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of > >> Conduct: http://fedoraproject.org/code-of-conduct > > > > That AVC does not seem to be related. What AVC's did you see when you > > disabled the dontaudit rules. > > > >> There's only one (the last one) with enabled and disabled dontaudit > >> rules: > > >> [root@fedora-20 ~]# semodule -DB ; date ; virsh create mini.xml ; > >> ausearch -m avc,user_avc -ts recent | tail -n 9 Mon Mar 24 12:44:17 UTC > >> 2014 error: Failed to create domain from mini.xml error: Input/output > >> error > > >> ---- time->Mon Mar 24 12:42:29 2014 type=USER_AVC > >> msg=audit(1395664949.793:23448): pid=1 uid=0 auid=4294967295 > >> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { > >> start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0 > >> tcontext=system_u:system_r:init_t:s0 tclass=service > >> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' > >> ---- time->Mon Mar 24 12:44:17 2014 type=USER_AVC > >> msg=audit(1395665057.999:23463): pid=1 uid=0 auid=4294967295 > >> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received > >> policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0 > >> hostname=? addr=? terminal=?' ---- time->Mon Mar 24 12:44:18 2014 > >> type=USER_AVC msg=audit(1395665058.000:23464): pid=1 uid=0 > >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 > >> msg='avc: denied { start } for auid=-1 uid=-1 gid=-1 > >> scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 > >> tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? > >> terminal=?' > > > > > >> _______________________________________________ cloud mailing list > >> cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org> <mailto:cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org >> > >> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of > >> Conduct: http://fedoraproject.org/code-of-conduct > > > > > _______________________________________________ cloud mailing list > > cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org> > > https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of > > Conduct: http://fedoraproject.org/code-of-conduct > > If you successfully disabled dontaudit rules, you shouldbe seeing a lot more > messages. > > > How do I check that? I issued 'semodule -DB', it took a while to run but didn't return any error. > > Just tried the whole sequence again but all I get is the one USER_AVC message. > > > What am I missing? > > > > > > > _______________________________________________ > > > cloud mailing list > > > cloud@lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org> > > > https://admin.fedoraproject.org/mailman/listinfo/cloud > > > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > > > > > > > > _______________________________________________ > > cloud mailing list > > cloud@lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/cloud > > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > > > > _______________________________________________ > cloud mailing list > cloud@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/cloud > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct >
_______________________________________________ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct