[ovirt-users] Ip spoofing
Punit Dambiwal
hypunit at gmail.com
Fri Jun 27 10:15:35 UTC 2014
Hi,
I found below messages in the audit log :-
[root at gfs1 ~]# grep "avc" /var/log/audit/audit.log
type=AVC msg=audit(1403834461.442:266685): avc: denied { read } for
pid=27958
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403835901.532:266865): avc: denied { read } for
pid=29746
comm="xz" name="online" dev=sysfs ino=23
scontext=system_u:system_r:logrotate_t
:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403836508.226:266868): avc: denied { signal } for
pid=353
7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403838061.918:266965): avc: denied { read } for
pid=32528
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403841661.051:267604): avc: denied { read } for
pid=3256
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403841661.053:267605): avc: denied { read } for
pid=3257
comm="xz" name="online" dev=sysfs ino=23
scontext=system_u:system_r:logrotate_t:
s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1403845261.394:271326): avc: denied { read } for
pid=6791
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403848861.538:271797): avc: denied { read } for
pid=9269
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:logr
otate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir
type=AVC msg=audit(1403852461.654:272828): avc: denied { read } for
pid=12222
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403852998.237:272831): avc: denied { signal } for
pid=353
7 comm="sanlock-helper"
scontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1403856061.898:273118): avc: denied { read } for
pid=16215
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403859661.098:273934): avc: denied { read } for
pid=19991
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
type=AVC msg=audit(1403863261.394:276053): avc: denied { read } for
pid=24345
comm="logrotate" name="core" dev=dm-0
ino=789758 scontext=system_u:system_r:log
rotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0
tclass=dir
[root at gfs1 ~]#
On Fri, Jun 27, 2014 at 5:35 PM, Sven Kieske <S.Kieske at mittwald.de> wrote:
> Well I doubt this is a solution to this,
> anyway, if you want to check if it's a permission error
> due to not correctly configured selinux you
> could do:
>
> grep "avc" /var/log/auditd/auditd.log
>
> and configure your selinux correctly, no need to disable it.
>
> But I doubt that the "VM can spoof the ip address"
>
> you can configure it, sure, but you should not be able
> to access anything outside of the vm.
>
> another way to set this up, is, to configure the filter
> vdsm-no-mac-spoofing for each vm
> and to configure your network to not allow any other ip-packages
> from the given mac, and assign well known macs to each vm.
> you can also add vlans and proper subnetting to the mix to make
> it more secure.
>
> Am 27.06.2014 11:16, schrieb Antoni Segura Puimedon:
> > Did you try to disable SELinux with "setenforce 0" to see if the problem
> is
> > one of secure contexts?
>
> --
> Mit freundlichen Grüßen / Regards
>
> Sven Kieske
>
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140627/5fd538a8/attachment-0001.html>
More information about the Users
mailing list