[Leaplist] minor issue w/ SELinux & /dev/kvm ....
William A. Mahaffey III
wam at hiwaay.net
Thu May 14 09:40:07 EDT 2009
.... I installed the kvm package (kernel virtualization machine) for my
64 bit FC7 (fully/terminally patched up at the same time) a week or 2
ago. Since then I have been getting a lot of the following in my syslog
file;
May 14 07:45:04 Q6600 mountd[3100]: authenticated unmount request from
DARKSTAR.CFD.COM:877 for /archive (/archive)
May 14 07:45:04 Q6600 mountd[3100]: authenticated unmount request from
DARKSTAR.CFD.COM:878 for /home (/home)
May 14 07:45:04 Q6600 mountd[3100]: authenticated mount request from
DARKSTAR.CFD.COM:885 for /home (/home)
May 14 07:45:04 Q6600 mountd[3100]: authenticated mount request from
DARKSTAR.CFD.COM:886 for /archive (/archive)
May 14 07:45:06 Q6600 setroubleshoot: SELinux is preventing
/usr/sbin/rpc.mountd (nfsd_t) "getattr" access to device /dev/kvm.
For complete SELinux messages. run sealert -l
8cc997da-0336-4f93-aac1-bd35f3118a84
May 14 07:45:06 Q6600 last message repeated 3 times
May 14 07:47:06 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 07:50:53 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 07:54:40 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 07:57:34 Q6600 mountd[3100]: authenticated unmount request from
DARKSTAR.CFD.COM:943 for /archive (/archive)
May 14 07:57:34 Q6600 mountd[3100]: authenticated unmount request from
DARKSTAR.CFD.COM:944 for /home (/home)
May 14 07:57:34 Q6600 mountd[3100]: authenticated mount request from
DARKSTAR.CFD.COM:951 for /home (/home)
May 14 07:57:34 Q6600 mountd[3100]: authenticated mount request from
DARKSTAR.CFD.COM:952 for /archive (/archive)
May 14 07:57:36 Q6600 setroubleshoot: SELinux is preventing
/usr/sbin/rpc.mountd (nfsd_t) "getattr" access to device /dev/kvm.
For complete SELinux messages. run sealert -l
8cc997da-0336-4f93-aac1-bd35f3118a84
May 14 07:57:36 Q6600 last message repeated 3 times
May 14 07:58:27 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:02:14 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:05:52 Q6600 mountd[3100]: authenticated mount request from
ATHLONCUBE.CFD.COM:858 for /archive (/archive)
May 14 08:05:52 Q6600 mountd[3100]: authenticated mount request from
ATHLONCUBE.CFD.COM:778 for /home (/home)
May 14 08:05:54 Q6600 setroubleshoot: SELinux is preventing
/usr/sbin/rpc.mountd (nfsd_t) "getattr" access to device /dev/kvm.
For complete SELinux messages. run sealert -l
8cc997da-0336-4f93-aac1-bd35f3118a84
May 14 08:05:54 Q6600 last message repeated 3 times
May 14 08:06:01 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:08:34 Q6600 mountd[3100]: authenticated mount request from
OPTY165A.CFD.COM:638 for /archive (/archive)
May 14 08:08:34 Q6600 mountd[3100]: authenticated mount request from
OPTY165A.CFD.COM:641 for /home (/home)
May 14 08:08:36 Q6600 setroubleshoot: SELinux is preventing
/usr/sbin/rpc.mountd (nfsd_t) "getattr" access to device /dev/kvm.
For complete SELinux messages. run sealert -l
8cc997da-0336-4f93-aac1-bd35f3118a84
May 14 08:08:36 Q6600 last message repeated 3 times
May 14 08:09:48 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:13:36 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:17:23 Q6600 mountd[3100]: authenticated unmount request from
ATHLONCUBE.CFD.COM:870 for /archive (/archive)
May 14 08:17:23 Q6600 mountd[3100]: authenticated unmount request from
ATHLONCUBE.CFD.COM:879 for /home (/home)
May 14 08:17:26 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:17:34 Q6600 mountd[3100]: authenticated unmount request from
DARKSTAR.CFD.COM:636 for /archive (/archive)
May 14 08:17:34 Q6600 mountd[3100]: authenticated unmount request from
DARKSTAR.CFD.COM:637 for /home (/home)
May 14 08:17:34 Q6600 mountd[3100]: authenticated mount request from
DARKSTAR.CFD.COM:644 for /home (/home)
May 14 08:17:34 Q6600 mountd[3100]: authenticated mount request from
DARKSTAR.CFD.COM:645 for /archive (/archive)
May 14 08:17:36 Q6600 setroubleshoot: SELinux is preventing
/usr/sbin/rpc.mountd (nfsd_t) "getattr" access to device /dev/kvm.
For complete SELinux messages. run sealert -l
8cc997da-0336-4f93-aac1-bd35f3118a84
May 14 08:17:36 Q6600 last message repeated 3 times
May 14 08:21:16 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:25:06 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
May 14 08:26:53 Q6600 mountd[3100]: authenticated unmount request from
OPTY165A.CFD.COM:731 for /archive (/archive)
May 14 08:26:53 Q6600 mountd[3100]: authenticated unmount request from
OPTY165A.CFD.COM:737 for /home (/home)
May 14 08:28:55 Q6600 automount[2843]: expire_indirect: fstat failed:
Bad file descriptor
It looks like interference between SELinux & mountd which is trying to
access /dev/kvm, the device for the kvm package. I ran the recommended
sealert & get:
[root at Q6600:/etc, Thu May 14, 08:29 AM] 1074 # sealert -l
8cc997da-0336-4f93-aac1-bd35f3118a84
Summary
SELinux is preventing /usr/sbin/rpc.mountd (nfsd_t) "getattr" access to
device /dev/kvm.
Detailed Description
SELinux has denied the /usr/sbin/rpc.mountd (nfsd_t) "getattr" access to
device /dev/kvm. /dev/kvm is mislabeled, this device has the default
label
of the /dev directory, which should not happen. All Character
and/or Block
Devices should have a label. You can attempt to change the label of
the file
using restorecon -v /dev/kvm. If this device remains labeled
device_t, then
this is a bug in SELinux policy. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the
selinux-policy
package. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for /dev/kvm, you can use
chcon -t SIMILAR_TYPE /dev/kvm, If this fixes the problem, you can
make this
permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/kvm
If the
restorecon changes the context, this indicates that the application that
created the device, created it without using SELinux APIs. If you can
figure out which application created the device, please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
application.
Allowing Access
Attempt restorecon -v /dev/kvm or chcon -t SIMILAR_TYPE /dev/kvm
Additional Information
Source Context system_u:system_r:nfsd_t
Target Context system_u:object_r:device_t
Target Objects /dev/kvm [ chr_file ]
Affected RPM Packages nfs-utils-1.1.0-4.fc7 [application]
Policy RPM selinux-policy-2.6.4-70.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.device
Host Name Q6600
Platform Linux Q6600 2.6.23.17-88.fc7 #1 SMP Thu May 15
00:02:29 EDT 2008 x86_64 x86_64
Alert Count 4320
First Seen Sun May 3 11:49:48 2009
Last Seen Thu May 14 08:30:05 2009
Local ID 8cc997da-0336-4f93-aac1-bd35f3118a84
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="rpc.mountd" dev=tmpfs egid=0 euid=0
exe="/usr/sbin/rpc.mountd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path="/dev/kvm" pid=3100 scontext=system_u:system_r:nfsd_t:s0 sgid=0
subj=system_u:system_r:nfsd_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
[root at Q6600:/etc, Thu May 14, 08:32 AM] 1075 # uname -a
Linux Q6600 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:02:29 EDT 2008 x86_64
x86_64 x86_64 GNU/Linux
which seems to suggest relabelling /dev/kvm as something else to shut
SELinux up and/or allow the access. I tried the restorecon a few days
ago & no help. I don't want to allow the access (& don't think mountd
really needs it for anything) & don't want to relabel lest that mess up
kvm. Is there a rule to tell SELinux to continue disallowing the access,
but just shut up about it :-) ? Failing that, can I tell mountd to
ignore that device ? TIA ....
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Leaplist
mailing list