<div dir="ltr">Hi,<div><br></div><div>I found below messages in the audit log :- </div><div><br></div><div><div>[root@gfs1 ~]# grep "avc" /var/log/audit/audit.log</div><div>type=AVC msg=audit(1403834461.442:266685): avc: denied { read } for pid=27958 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403835901.532:266865): avc: denied { read } for pid=29746 comm="xz" name="online" dev=sysfs ino=23 scontext=system_u:system_r:logrotate_t :s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file</div>
<div>type=AVC msg=audit(1403836508.226:266868): avc: denied { signal } for pid=353 7 comm="sanlock-helper" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process</div>
<div>type=AVC msg=audit(1403838061.918:266965): avc: denied { read } for pid=32528 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403841661.051:267604): avc: denied { read } for pid=3256 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403841661.053:267605): avc: denied { read } for pid=3257 comm="xz" name="online" dev=sysfs ino=23 scontext=system_u:system_r:logrotate_t: s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file</div>
<div>type=AVC msg=audit(1403845261.394:271326): avc: denied { read } for pid=6791 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403848861.538:271797): avc: denied { read } for pid=9269 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403852461.654:272828): avc: denied { read } for pid=12222 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403852998.237:272831): avc: denied { signal } for pid=353 7 comm="sanlock-helper" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process</div>
<div>type=AVC msg=audit(1403856061.898:273118): avc: denied { read } for pid=16215 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403859661.098:273934): avc: denied { read } for pid=19991 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>type=AVC msg=audit(1403863261.394:276053): avc: denied { read } for pid=24345 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir</div>
<div>[root@gfs1 ~]#</div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 27, 2014 at 5:35 PM, Sven Kieske <span dir="ltr"><<a href="mailto:S.Kieske@mittwald.de" target="_blank">S.Kieske@mittwald.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Well I doubt this is a solution to this,<br>
anyway, if you want to check if it's a permission error<br>
due to not correctly configured selinux you<br>
could do:<br>
<br>
grep "avc" /var/log/auditd/auditd.log<br>
<br>
and configure your selinux correctly, no need to disable it.<br>
<br>
But I doubt that the "VM can spoof the ip address"<br>
<br>
you can configure it, sure, but you should not be able<br>
to access anything outside of the vm.<br>
<br>
another way to set this up, is, to configure the filter<br>
vdsm-no-mac-spoofing for each vm<br>
and to configure your network to not allow any other ip-packages<br>
from the given mac, and assign well known macs to each vm.<br>
you can also add vlans and proper subnetting to the mix to make<br>
it more secure.<br>
<br>
Am <a href="tel:27.06.2014%2011" value="+12706201411">27.06.2014 11</a>:16, schrieb Antoni Segura Puimedon:<br>
<div class="im HOEnZb">> Did you try to disable SELinux with "setenforce 0" to see if the problem is<br>
> one of secure contexts?<br>
<br>
</div><div class="HOEnZb"><div class="h5">--<br>
Mit freundlichen Grüßen / Regards<br>
<br>
Sven Kieske<br>
<br>
Systemadministrator<br>
Mittwald CM Service GmbH & Co. KG<br>
Königsberger Straße 6<br>
32339 Espelkamp<br>
T: <a href="tel:%2B49-5772-293-100" value="+495772293100">+49-5772-293-100</a><br>
F: <a href="tel:%2B49-5772-293-333" value="+495772293333">+49-5772-293-333</a><br>
<a href="https://www.mittwald.de" target="_blank">https://www.mittwald.de</a><br>
Geschäftsführer: Robert Meyer<br>
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen<br>
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen</div></div></blockquote></div><br></div>