I don't think this has anything to do with whether Proxmox Backup Server is used or not, it's something to do with the qemu agent when vzdump is called (in other words, the same result happens when backing up to local storage). Here's a heavily grepped-down list of the noise from one host:
How grepped-down? This grepped-down:
Anyhow, I know there are a lot of booleans that can be set to quiet this noise but should we really be loosening up our selinux config willy-nilly? I say we should not, but we obviously do need to figure out what allows and bools need to be set and ideally update the qemu tools with the correct selinux profile. All productive suggestions welcome.
This is wild:
Bash:
# sealert -l "*" | grep 'SELinux is preventing' | sort -u
SELinux is preventing /usr/bin/bash from execute access on the file /usr/bin/chronyc.
SELinux is preventing /usr/bin/chronyc from execute_no_trans access on the file /usr/bin/chronyc.
SELinux is preventing /usr/bin/chronyc from map access on the file /usr/bin/chronyc.
SELinux is preventing /usr/bin/perl from connectto access on the unix_stream_socket /var/lib/mysql/mysql.sock.
SELinux is preventing /usr/bin/perl from write access on the sock_file /var/lib/mysql/mysql.sock.
SELinux is preventing /usr/bin/ps from open access on the file /proc/<pid>/stat.
SELinux is preventing /usr/bin/ps from open access on the file /proc/<pid>/status.
SELinux is preventing /usr/bin/ps from read access on the file /proc/<pid>/stat.
SELinux is preventing /usr/bin/ps from read access on the file /proc/<pid>/status.
SELinux is preventing /usr/bin/ps from search access on the directory /proc/<pid>/stat.
SELinux is preventing /usr/bin/ps from search access on the directory /proc/<pid>/status.
SELinux is preventing /usr/bin/ps from sys_ptrace access on the cap_userns labeled virt_qemu_ga_t.How grepped-down? This grepped-down:
Bash:
# sealert -l "*" | grep 'SELinux is preventing' | wc -l
50Anyhow, I know there are a lot of booleans that can be set to quiet this noise but should we really be loosening up our selinux config willy-nilly? I say we should not, but we obviously do need to figure out what allows and bools need to be set and ideally update the qemu tools with the correct selinux profile. All productive suggestions welcome.
This is wild:
Bash:
# audit2allow -a | grep -e qemu -e boolean
#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t NetworkManager_t:dir search;
allow virt_qemu_ga_t NetworkManager_t:file { open read };
allow virt_qemu_ga_t audisp_remote_t:dir search;
allow virt_qemu_ga_t audisp_remote_t:file { open read };
allow virt_qemu_ga_t auditd_t:dir search;
allow virt_qemu_ga_t auditd_t:file { open read };
allow virt_qemu_ga_t chronyc_exec_t:file { execute execute_no_trans };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow virt_qemu_ga_t chronyc_exec_t:file map;
allow virt_qemu_ga_t chronyd_t:dir search;
allow virt_qemu_ga_t chronyd_t:file { open read };
allow virt_qemu_ga_t crond_t:dir search;
allow virt_qemu_ga_t crond_t:file { open read };
allow virt_qemu_ga_t getty_t:dir search;
allow virt_qemu_ga_t getty_t:file { open read };
allow virt_qemu_ga_t irqbalance_t:dir search;
allow virt_qemu_ga_t irqbalance_t:file { open read };
allow virt_qemu_ga_t kernel_t:dir search;
allow virt_qemu_ga_t kernel_t:file { open read };
allow virt_qemu_ga_t lsmd_t:dir search;
allow virt_qemu_ga_t lsmd_t:file { open read };
allow virt_qemu_ga_t mysqld_t:dir search;
allow virt_qemu_ga_t mysqld_t:file { open read };
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow virt_qemu_ga_t mysqld_t:unix_stream_socket connectto;
allow virt_qemu_ga_t mysqld_var_run_t:sock_file write;
allow virt_qemu_ga_t policykit_t:dir search;
allow virt_qemu_ga_t policykit_t:file { open read };
allow virt_qemu_ga_t self:cap_userns sys_ptrace;
allow virt_qemu_ga_t setroubleshootd_t:dir search;
allow virt_qemu_ga_t setroubleshootd_t:file { open read };
allow virt_qemu_ga_t sshd_t:dir search;
allow virt_qemu_ga_t sshd_t:file { open read };
allow virt_qemu_ga_t syslogd_t:dir search;
allow virt_qemu_ga_t syslogd_t:file { open read };
allow virt_qemu_ga_t system_dbusd_t:dir search;
allow virt_qemu_ga_t system_dbusd_t:file { open read };
allow virt_qemu_ga_t systemd_logind_t:dir search;
allow virt_qemu_ga_t systemd_logind_t:file { open read };
allow virt_qemu_ga_t tuned_t:dir search;
allow virt_qemu_ga_t tuned_t:file { open read };
allow virt_qemu_ga_t udev_t:dir search;
allow virt_qemu_ga_t udev_t:file { open read };
allow virt_qemu_ga_t unconfined_service_t:dir search;
allow virt_qemu_ga_t unconfined_service_t:file { open read };
allow virt_qemu_ga_t unconfined_t:dir search;
allow virt_qemu_ga_t unconfined_t:file { open read };