Hi, I found below messages in the audit log :- [root@gfs1 ~]# grep "avc" /var/log/audit/audit.log type=AVC msg=audit(1403834461.442:266685): avc: denied { read } for pid=27958 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403835901.532:266865): avc: denied { read } for pid=29746 comm="xz" name="online" dev=sysfs ino=23 scontext=system_u:system_r:logrotate_t :s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1403836508.226:266868): avc: denied { signal } for pid=353 7 comm="sanlock-helper" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1403838061.918:266965): avc: denied { read } for pid=32528 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403841661.051:267604): avc: denied { read } for pid=3256 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403841661.053:267605): avc: denied { read } for pid=3257 comm="xz" name="online" dev=sysfs ino=23 scontext=system_u:system_r:logrotate_t: s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1403845261.394:271326): avc: denied { read } for pid=6791 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403848861.538:271797): avc: denied { read } for pid=9269 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:logr otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403852461.654:272828): avc: denied { read } for pid=12222 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403852998.237:272831): avc: denied { signal } for pid=353 7 comm="sanlock-helper" scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1403856061.898:273118): avc: denied { read } for pid=16215 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403859661.098:273934): avc: denied { read } for pid=19991 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir type=AVC msg=audit(1403863261.394:276053): avc: denied { read } for pid=24345 comm="logrotate" name="core" dev=dm-0 ino=789758 scontext=system_u:system_r:log rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir [root@gfs1 ~]# On Fri, Jun 27, 2014 at 5:35 PM, Sven Kieske <S.Kieske@mittwald.de> wrote:
Well I doubt this is a solution to this, anyway, if you want to check if it's a permission error due to not correctly configured selinux you could do:
grep "avc" /var/log/auditd/auditd.log
and configure your selinux correctly, no need to disable it.
But I doubt that the "VM can spoof the ip address"
you can configure it, sure, but you should not be able to access anything outside of the vm.
another way to set this up, is, to configure the filter vdsm-no-mac-spoofing for each vm and to configure your network to not allow any other ip-packages from the given mac, and assign well known macs to each vm. you can also add vlans and proper subnetting to the mix to make it more secure.
Am 27.06.2014 11:16, schrieb Antoni Segura Puimedon:
Did you try to disable SELinux with "setenforce 0" to see if the problem is one of secure contexts?
-- Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen