Hi, I found below messages in the audit log :-
[root@gfs1 ~]# grep "avc" /var/log/audit/audit.log type=AVC msg=audit(1403834461.442:266685): avc: denied { read } for pid=27958 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403835901.532:266865): avc: denied { read } for pid=29746 comm="xz" name="online" dev=sysfs ino=23 scontext=system_u:system_r:logrotate_t :s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1403836508.226:266868): avc: denied { signal } for pid=353 7 comm="sanlock-helper" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1403838061.918:266965): avc: denied { read } for pid=32528 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403841661.051:267604): avc: denied { read } for pid=3256 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403841661.053:267605): avc: denied { read } for pid=3257 comm="xz" name="online" dev=sysfs ino=23 scontext=system_u:system_r:logrotate_t: s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1403845261.394:271326): avc: denied { read } for pid=6791 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403848861.538:271797): avc: denied { read } for pid=9269 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403852461.654:272828): avc: denied { read } for pid=12222 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403852998.237:272831): avc: denied { signal } for pid=353 7 comm="sanlock-helper" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1403856061.898:273118): avc: denied { read } for pid=16215 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403859661.098:273934): avc: denied { read } for pid=19991 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403863261.394:276053): avc: denied { read } for pid=24345 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir [root@gfs1 ~]# On Fri, Jun 27, 2014 at 5:35 PM, Sven Kieske <s.kie...@mittwald.de> wrote: > Well I doubt this is a solution to this, > anyway, if you want to check if it's a permission error > due to not correctly configured selinux you > could do: > > grep "avc" /var/log/auditd/auditd.log > > and configure your selinux correctly, no need to disable it. > > But I doubt that the "VM can spoof the ip address" > > you can configure it, sure, but you should not be able > to access anything outside of the vm. > > another way to set this up, is, to configure the filter > vdsm-no-mac-spoofing for each vm > and to configure your network to not allow any other ip-packages > from the given mac, and assign well known macs to each vm. > you can also add vlans and proper subnetting to the mix to make > it more secure. > > Am 27.06.2014 11:16, schrieb Antoni Segura Puimedon: > > Did you try to disable SELinux with "setenforce 0" to see if the problem > is > > one of secure contexts? > > -- > Mit freundlichen Grüßen / Regards > > Sven Kieske > > Systemadministrator > Mittwald CM Service GmbH & Co. KG > Königsberger Straße 6 > 32339 Espelkamp > T: +49-5772-293-100 > F: +49-5772-293-333 > https://www.mittwald.de > Geschäftsführer: Robert Meyer > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users