found 18 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file 2701cea5-6bb5-435d-9403-2343f43a914b. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file Then you need to change the label on 2701cea5-6bb5-435d-9403-2343f43a914b Do # semanage fcontext -a -t FILE_TYPE '2701cea5-6bb5-435d-9403-2343f43a914b' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '2701cea5-6bb5-435d-9403-2343f43a914b' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c488,c590 Target Context system_u:object_r:unlabeled_t:s0 Target Objects 2701cea5-6bb5-435d-9403-2343f43a914b [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-10-12 14:38:13 MSK Last Seen 2016-10-12 14:38:13 MSK Local ID e5608de0-4bb9-45c9-8eee-e2b37e9664f4 Raw Audit Messages type=AVC msg=audit(1476272293.416:213): avc: denied { read } for pid=4996 comm="qemu-kvm" name="2701cea5-6bb5-435d-9403-2343f43a914b" dev="dm-1" ino=268436805 scontext=system_u:system_r:svirt_t:s0:c488,c590 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476272293.416:213): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f6f6a116b00 a1=7ffc9030d660 a2=7ffc9030d660 a3=7f6f60774e90 items=0 ppid=1 pid=4996 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c488,c590 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file 2701cea5-6bb5-435d-9403-2343f43a914b. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file Then you need to change the label on 2701cea5-6bb5-435d-9403-2343f43a914b Do # semanage fcontext -a -t FILE_TYPE '2701cea5-6bb5-435d-9403-2343f43a914b' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '2701cea5-6bb5-435d-9403-2343f43a914b' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c578,c612 Target Context system_u:object_r:unlabeled_t:s0 Target Objects 2701cea5-6bb5-435d-9403-2343f43a914b [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 14:40:25 MSK Last Seen 2016-10-12 14:40:25 MSK Local ID 4c9911aa-f92d-4b18-a3d5-a829f8d8d989 Raw Audit Messages type=AVC msg=audit(1476272425.252:364): avc: denied { read } for pid=5529 comm="qemu-kvm" name="2701cea5-6bb5-435d-9403-2343f43a914b" dev="dm-1" ino=268436805 scontext=system_u:system_r:svirt_t:s0:c578,c612 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476272425.252:364): arch=x86_64 syscall=open success=no exit=EACCES a0=7fd600d16b00 a1=80800 a2=0 a3=7fd5f7e9ae90 items=0 ppid=1 pid=5529 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c578,c612 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file 2701cea5-6bb5-435d-9403-2343f43a914b. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file Then you need to change the label on 2701cea5-6bb5-435d-9403-2343f43a914b Do # semanage fcontext -a -t FILE_TYPE '2701cea5-6bb5-435d-9403-2343f43a914b' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '2701cea5-6bb5-435d-9403-2343f43a914b' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c240,c253 Target Context system_u:object_r:unlabeled_t:s0 Target Objects 2701cea5-6bb5-435d-9403-2343f43a914b [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-10-12 14:47:10 MSK Last Seen 2016-10-12 14:47:10 MSK Local ID c9ee8367-ad2c-4dbf-ae46-e43ad88fa759 Raw Audit Messages type=AVC msg=audit(1476272830.219:490): avc: denied { read } for pid=6439 comm="qemu-kvm" name="2701cea5-6bb5-435d-9403-2343f43a914b" dev="dm-1" ino=268436805 scontext=system_u:system_r:svirt_t:s0:c240,c253 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476272830.219:490): arch=x86_64 syscall=open success=no exit=EACCES a0=7f1d93d80b00 a1=84002 a2=0 a3=0 items=0 ppid=1 pid=6439 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c240,c253 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file 2701cea5-6bb5-435d-9403-2343f43a914b. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file Then you need to change the label on 2701cea5-6bb5-435d-9403-2343f43a914b Do # semanage fcontext -a -t FILE_TYPE '2701cea5-6bb5-435d-9403-2343f43a914b' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '2701cea5-6bb5-435d-9403-2343f43a914b' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the 2701cea5-6bb5-435d-9403-2343f43a914b lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c154,c888 Target Context system_u:object_r:unlabeled_t:s0 Target Objects 2701cea5-6bb5-435d-9403-2343f43a914b [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-10-12 14:47:56 MSK Last Seen 2016-10-12 14:47:56 MSK Local ID c337152b-8c31-4e7c-ad57-45203b97af8e Raw Audit Messages type=AVC msg=audit(1476272876.350:592): avc: denied { read } for pid=6742 comm="qemu-kvm" name="2701cea5-6bb5-435d-9403-2343f43a914b" dev="dm-1" ino=268436805 scontext=system_u:system_r:svirt_t:s0:c154,c888 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476272876.350:592): arch=x86_64 syscall=open success=no exit=EACCES a0=7fa4fef68b00 a1=80800 a2=0 a3=7fa4f49cde90 items=0 ppid=1 pid=6742 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c154,c888 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c350,c447 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 14:53:57 MSK Last Seen 2016-10-12 14:53:57 MSK Local ID d9faf2fb-ffe5-4183-99ac-040f5e38175b Raw Audit Messages type=AVC msg=audit(1476273237.544:678): avc: denied { read } for pid=7455 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c350,c447 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476273237.544:678): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3817e3c9a0 a1=80800 a2=0 a3=7f380d3afe90 items=0 ppid=1 pid=7455 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c350,c447 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c536,c727 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 14:54:45 MSK Last Seen 2016-10-12 14:54:45 MSK Local ID a0f38ecd-3923-40c8-918e-3cc3d91be2bf Raw Audit Messages type=AVC msg=audit(1476273285.680:729): avc: denied { read } for pid=7708 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c536,c727 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476273285.680:729): arch=x86_64 syscall=open success=no exit=EACCES a0=7f003bb589a0 a1=80800 a2=0 a3=7f0032698e90 items=0 ppid=1 pid=7708 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c536,c727 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c164,c452 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 14:55:01 MSK Last Seen 2016-10-12 14:55:01 MSK Local ID 47f09d3b-41ba-4367-a351-1be519739a8a Raw Audit Messages type=AVC msg=audit(1476273301.831:788): avc: denied { read } for pid=7916 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c164,c452 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476273301.831:788): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff2994f09a0 a1=84002 a2=0 a3=0 items=0 ppid=1 pid=7916 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c164,c452 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c334,c678 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-10-12 14:58:47 MSK Last Seen 2016-10-12 14:58:47 MSK Local ID 7572c42b-a52a-4a44-862d-eb304d9991b6 Raw Audit Messages type=AVC msg=audit(1476273527.439:923): avc: denied { read } for pid=8758 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c334,c678 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476273527.439:923): arch=x86_64 syscall=open success=no exit=EACCES a0=7faf4998c9a0 a1=84002 a2=0 a3=0 items=0 ppid=1 pid=8758 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c334,c678 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the lnk_file /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c520,c829 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /rhev/data-center/mnt/blockSD/dcaf230c- fa73-4022-9750-e5094669454d/images/71f18680-1b93 -4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b 3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:00:06 MSK Last Seen 2016-10-12 15:00:06 MSK Local ID 2f5b2d74-ce96-44fe-bb55-4c146ec40cae Raw Audit Messages type=AVC msg=audit(1476273606.370:975): avc: denied { getattr } for pid=9050 comm="qemu-kvm" path="/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c520,c829 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476273606.370:975): arch=x86_64 syscall=lstat success=yes exit=0 a0=7fff5b665e70 a1=7fff5b665d00 a2=7fff5b665d00 a3=3761643631303362 items=0 ppid=1 pid=9050 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c520,c829 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c520,c829 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:00:06 MSK Last Seen 2016-10-12 15:00:06 MSK Local ID d93a1026-2e94-445b-bcce-9b8edae4083f Raw Audit Messages type=AVC msg=audit(1476273606.370:974): avc: denied { read } for pid=9050 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c520,c829 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476273606.370:974): arch=x86_64 syscall=open success=yes exit=ENOTDIR a0=7f9e288329a0 a1=80800 a2=0 a3=7f9e1ddace90 items=0 ppid=1 pid=9050 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c520,c829 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c427,c438 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:07:10 MSK Last Seen 2016-10-12 15:07:10 MSK Local ID 5444b690-34c1-48f2-afa9-08c49cca7f9d Raw Audit Messages type=AVC msg=audit(1476274030.194:1052): avc: denied { read } for pid=9976 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c427,c438 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476274030.194:1052): arch=x86_64 syscall=open success=yes exit=ENOTDIR a0=7f706b3a49a0 a1=80800 a2=0 a3=7f7061809e90 items=0 ppid=1 pid=9976 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c427,c438 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the lnk_file /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c427,c438 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /rhev/data-center/mnt/blockSD/dcaf230c- fa73-4022-9750-e5094669454d/images/71f18680-1b93 -4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b 3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:07:10 MSK Last Seen 2016-10-12 15:07:10 MSK Local ID 68770884-ea33-4e9d-a499-936d14aef3f0 Raw Audit Messages type=AVC msg=audit(1476274030.195:1053): avc: denied { getattr } for pid=9976 comm="qemu-kvm" path="/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c427,c438 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476274030.195:1053): arch=x86_64 syscall=lstat success=yes exit=0 a0=7ffd2a5ea360 a1=7ffd2a5ea1f0 a2=7ffd2a5ea1f0 a3=3761643631303362 items=0 ppid=1 pid=9976 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c427,c438 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the lnk_file /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c333,c726 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /rhev/data-center/mnt/blockSD/dcaf230c- fa73-4022-9750-e5094669454d/images/71f18680-1b93 -4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b 3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:54:53 MSK Last Seen 2016-10-12 15:54:53 MSK Local ID d0d2659a-8d2e-4aaf-835c-52075909e26d Raw Audit Messages type=AVC msg=audit(1476276893.916:1223): avc: denied { getattr } for pid=14956 comm="qemu-kvm" path="/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c333,c726 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476276893.916:1223): arch=x86_64 syscall=lstat success=yes exit=0 a0=7fff316303c0 a1=7fff31630250 a2=7fff31630250 a3=3761643631303362 items=0 ppid=1 pid=14956 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c333,c726 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c333,c726 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:54:53 MSK Last Seen 2016-10-12 15:54:53 MSK Local ID 198aced0-0959-4225-a11f-4d0bdc7c6fb9 Raw Audit Messages type=AVC msg=audit(1476276893.916:1222): avc: denied { read } for pid=14956 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c333,c726 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476276893.916:1222): arch=x86_64 syscall=open success=yes exit=ENOTDIR a0=7f67d8afc9a0 a1=80800 a2=0 a3=7f67cee3be90 items=0 ppid=1 pid=14956 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c333,c726 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c528,c994 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:57:59 MSK Last Seen 2016-10-12 15:57:59 MSK Local ID c585c5fe-d306-4068-ae5d-4bcd11052713 Raw Audit Messages type=AVC msg=audit(1476277079.139:1290): avc: denied { read } for pid=15482 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c528,c994 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476277079.139:1290): arch=x86_64 syscall=open success=yes exit=ENOTDIR a0=7f24c83c89a0 a1=80800 a2=0 a3=7f24bef4ee90 items=0 ppid=1 pid=15482 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c528,c994 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the lnk_file /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c528,c994 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /rhev/data-center/mnt/blockSD/dcaf230c- fa73-4022-9750-e5094669454d/images/71f18680-1b93 -4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b 3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 15:57:59 MSK Last Seen 2016-10-12 15:57:59 MSK Local ID 2c34ef41-0709-47fb-811d-026772d7ba7c Raw Audit Messages type=AVC msg=audit(1476277079.140:1291): avc: denied { getattr } for pid=15482 comm="qemu-kvm" path="/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c528,c994 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476277079.140:1291): arch=x86_64 syscall=lstat success=yes exit=0 a0=7fff3e371770 a1=7fff3e371600 a2=7fff3e371600 a3=3761643631303362 items=0 ppid=1 pid=15482 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c528,c994 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,getattr -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the lnk_file a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v 'a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c489,c932 Target Context system_u:object_r:unlabeled_t:s0 Target Objects a3f29de7-c6b9-410e-b635-9b3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-10-12 16:00:17 MSK Last Seen 2016-10-12 16:00:17 MSK Local ID 9848e909-d341-4fcb-b579-d835c4a3e962 Raw Audit Messages type=AVC msg=audit(1476277217.301:1343): avc: denied { read } for pid=15904 comm="qemu-kvm" name="a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c489,c932 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476277217.301:1343): arch=x86_64 syscall=readlink success=yes exit=EREMCHG a0=7ffcb6460140 a1=7ffcb645cf70 a2=fff a3=3761643631303362 items=0 ppid=1 pid=15904 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c489,c932 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,read -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the lnk_file /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-kvm to have getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file Then you need to change the label on /rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2 Do # semanage fcontext -a -t FILE_TYPE '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' where FILE_TYPE is one of the following: admin_home_t, alsa_etc_rw_t, alsa_home_t, antivirus_home_t, audio_home_t, auth_home_t, bin_t, boot_t, cache_home_t, cert_t, chrome_sandbox_home_t, cifs_t, config_home_t, cvs_home_t, data_home_t, dbus_home_t, device_t, devlog_t, etc_runtime_t, etc_t, fetchmail_home_t, fonts_cache_t, fonts_t, fusefs_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, ld_so_t, lib_t, local_login_home_t, locale_t, mail_home_rw_t, mail_home_t, man_cache_t, man_t, mandb_home_t, mnt_t, mozilla_home_t, mpd_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, net_conf_t, nfs_t, openshift_var_lib_t, polipo_cache_home_t, polipo_config_home_t, proc_t, procmail_home_t, public_content_rw_t, public_content_t, pulseaudio_home_t, qemu_var_run_t, rlogind_home_t, root_t, rpm_script_tmp_t, rssh_ro_t, rssh_rw_t, sandbox_file_t, screen_home_t, security_t, shell_exec_t, spamc_home_t, speech-dispatcher_home_t, src_t, ssh_home_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, sysfs_t, system_conf_t, system_db_t, systemd_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, texlive_home_t, textrel_shlib_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, usbfs_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, usr_t, var_run_t, var_t, virt_content_t, virt_etc_rw_t, virt_home_t, virt_image_t, virt_var_lib_t, virt_var_run_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-kvm should be allowed getattr access on the a3f29de7-c6b9-410e-b635-9b3016da7ba2 lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c489,c932 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /rhev/data-center/mnt/blockSD/dcaf230c- fa73-4022-9750-e5094669454d/images/71f18680-1b93 -4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b 3016da7ba2 [ lnk_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port Host Source RPM Packages qemu-kvm-ev-2.3.0-29.1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name node69-02. Platform Linux node69-02. 3.10.0-327.36.1.el7.x86_64 #1 SMP Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-10-12 16:00:17 MSK Last Seen 2016-10-12 16:00:17 MSK Local ID 5bb1ae49-1b66-4714-b4e7-d51d5792077f Raw Audit Messages type=AVC msg=audit(1476277217.301:1342): avc: denied { getattr } for pid=15904 comm="qemu-kvm" path="/rhev/data-center/mnt/blockSD/dcaf230c-fa73-4022-9750-e5094669454d/images/71f18680-1b93-4a2a-9bd1-95baeccf2d89/a3f29de7-c6b9-410e-b635-9b3016da7ba2" dev="dm-1" ino=493725 scontext=system_u:system_r:svirt_t:s0:c489,c932 tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1476277217.301:1342): arch=x86_64 syscall=lstat success=yes exit=0 a0=7ffcb6460140 a1=7ffcb645ffd0 a2=7ffcb645ffd0 a3=3761643631303362 items=0 ppid=1 pid=15904 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c489,c932 key=(null) Hash: qemu-kvm,svirt_t,unlabeled_t,lnk_file,getattr