Re: [ovirt-users] Ip spoofing

Friday, 27 June 2014

Hi,

I found below messages in the audit log :-

[root@gfs1 ~]# grep "avc" /var/log/audit/audit.log
type=AVC msg=audit(1403834461.442:266685): avc:  denied  { read } for
 pid=27958
                                 comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403835901.532:266865): avc:  denied  { read } for
 pid=29746
                                 comm="xz" name="online" dev=sysfs
ino=23
scontext=system_u:system_r:logrotate_t
                                                            :s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403836508.226:266868): avc:  denied  { signal } for
 pid=353
                              7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023

 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403838061.918:266965): avc:  denied  { read } for
 pid=32528
                                 comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403841661.051:267604): avc:  denied  { read } for
 pid=3256
                               comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr

otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403841661.053:267605): avc:  denied  { read } for
 pid=3257
                               comm="xz" name="online" dev=sysfs
ino=23
scontext=system_u:system_r:logrotate_t:
                                                            s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403845261.394:271326): avc:  denied  { read } for
 pid=6791
                               comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr

otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403848861.538:271797): avc:  denied  { read } for
 pid=9269
                               comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr

otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403852461.654:272828): avc:  denied  { read } for
 pid=12222
                                 comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403852998.237:272831): avc:  denied  { signal } for
 pid=353
                              7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023

 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403856061.898:273118): avc:  denied  { read } for
 pid=16215
                                 comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403859661.098:273934): avc:  denied  { read } for
 pid=19991
                                 comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403863261.394:276053): avc:  denied  { read } for
 pid=24345
                                 comm="logrotate" name="core"
dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
[root@gfs1 ~]#

On Fri, Jun 27, 2014 at 5:35 PM, Sven Kieske <S.Kieske(a)mittwald.de&gt; wrote:

...
 Well I doubt this is a solution to this,
 anyway, if you want to check if it's a permission error
 due to not correctly configured selinux you
 could do:

 grep "avc" /var/log/auditd/auditd.log

 and configure your selinux correctly, no need to disable it.

 But I doubt that the "VM can spoof the ip address"

 you can configure it, sure, but you should not be able
 to access anything outside of the vm.

 another way to set this up, is, to configure the filter
 vdsm-no-mac-spoofing for each vm
 and to configure your network to not allow any other ip-packages
 from the given mac, and assign well known macs to each vm.
 you can also add vlans and proper subnetting to the mix to make
 it more secure.

 Am 27.06.2014 11:16, schrieb Antoni Segura Puimedon:
 > Did you try to disable SELinux with "setenforce 0" to see if the problem
 is
 > one of secure contexts?

 --
 Mit freundlichen Grüßen / Regards

 Sven Kieske

 Systemadministrator
 Mittwald CM Service GmbH & Co. KG
 Königsberger Straße 6
 32339 Espelkamp
 T: +49-5772-293-100
 F: +49-5772-293-333
 https://www.mittwald.de
 Geschäftsführer: Robert Meyer
 St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
 Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [ovirt-users] Ip spoofing