Ask Your Question
0

Abrt reports : SELinux report is preventing qemu-system-x86

asked 2017-06-08 10:47:55 -0500

lucodealethea gravatar image

0 SElinux is set to permissive

1 ABRT reports "SELinux report is preventing qemu-system-x86" on whatever images .qcow2 or .img internally installed diskdrive

2 ABRT proposal to fix is sudo ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86

3 But Fails > results in compilation failed: my-qemusystemx86.te:16:ERROR 'syntax error' at token 'mlsconstrain' on line 16: mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcsconstrainedtype -Fail-) ); Constraint DENIEDmlsconstrain file { ioctl read lock execute executenotrans } ((h1 dom h2 -Fail-) or (t1 != mcsconstrainedtype -Fail-) ); Constraint DENIED

Bug has already been reported to bugzilla

What are the inners of this failure ?

Cheers,

Luc

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-06-08 12:01:52 -0500

villykruse gravatar image

It would be interesting to see the output from running

ausearch -c qemu-system-x86' --raw

However, the bugzilla report is rather old, so the data is probably long gone.

Reading the bugzilla report I find the raw avc report, which is the expected output from the ausearch command:

type=AVC msg=audit(1485837026.996:278): avc:  denied  { read } for  pid=2397 comm="qemu-system-x86" name="XP" dev="dm-2" ino=36045376 scontext=system_u:system_r:svirt_t:s0:c347,c863 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=dir permissive=0

This line I could (after saving it to a file "/tmp/xxx") provides as input to the audit2allow command:

audit2allow < /tmp/xxx -M my_testing

and the resulting of my_testing.te is:


module my_testing 1.0;

require {
    type samba_share_t;
    type svirt_t;
    class dir read;
}

#============= svirt_t ==============

#!!!! This avc is allowed in the current policy
allow svirt_t samba_share_t:dir read;

Thus, I beleive that there was something in the audit logfile which confused the ausearch command.

By the way: The qcow images are usually placed in /var/lib/libvirt/images and will be labeled systemu:objectr:virtimaget:s0 ( use ls -lZ to see the file se-linux label for the files.)

And don't expect the bugzilla report will be resolved any time soon. The backlog of se-linux issues are very big.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-06-08 10:47:55 -0500

Seen: 120 times

Last updated: Jun 08 '17