[ovirt-users] Ip spoofing

Punit Dambiwal hypunit at gmail.com
Fri Jun 27 10:15:35 UTC 2014 

Hi,

I found below messages in the audit log :-

[root at gfs1 ~]# grep "avc" /var/log/audit/audit.log
type=AVC msg=audit(1403834461.442:266685): avc:  denied  { read } for
 pid=27958
                                 comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403835901.532:266865): avc:  denied  { read } for
 pid=29746
                                 comm="xz" name="online" dev=sysfs ino=23
scontext=system_u:system_r:logrotate_t
                                                            :s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403836508.226:266868): avc:  denied  { signal } for
 pid=353
                              7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023

 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403838061.918:266965): avc:  denied  { read } for
 pid=32528
                                 comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403841661.051:267604): avc:  denied  { read } for
 pid=3256
                               comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr

otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403841661.053:267605): avc:  denied  { read } for
 pid=3257
                               comm="xz" name="online" dev=sysfs ino=23
scontext=system_u:system_r:logrotate_t:
                                                            s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403845261.394:271326): avc:  denied  { read } for
 pid=6791
                               comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr

otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403848861.538:271797): avc:  denied  { read } for
 pid=9269
                               comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr

otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403852461.654:272828): avc:  denied  { read } for
 pid=12222
                                 comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403852998.237:272831): avc:  denied  { signal } for
 pid=353
                              7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023

 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403856061.898:273118): avc:  denied  { read } for
 pid=16215
                                 comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403859661.098:273934): avc:  denied  { read } for
 pid=19991
                                 comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403863261.394:276053): avc:  denied  { read } for
 pid=24345
                                 comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log

rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
[root at gfs1 ~]#


On Fri, Jun 27, 2014 at 5:35 PM, Sven Kieske <S.Kieske at mittwald.de> wrote:

> Well I doubt this is a solution to this,
> anyway, if you want to check if it's a permission error
> due to not correctly configured selinux you
> could do:
>
> grep "avc" /var/log/auditd/auditd.log
>
> and configure your selinux correctly, no need to disable it.
>
> But I doubt that the "VM can spoof the ip address"
>
> you can configure it, sure, but you should not be able
> to access anything outside of the vm.
>
> another way to set this up, is, to configure the filter
> vdsm-no-mac-spoofing for each vm
> and to configure your network to not allow any other ip-packages
> from the given mac, and assign well known macs to each vm.
> you can also add vlans and proper subnetting to the mix to make
> it more secure.
>
> Am 27.06.2014 11:16, schrieb Antoni Segura Puimedon:
> > Did you try to disable SELinux with "setenforce 0" to see if the problem
> is
> > one of secure contexts?
>
> --
> Mit freundlichen Grüßen / Regards
>
> Sven Kieske
>
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140627/5fd538a8/attachment-0001.html>

More information about the Users mailing list