Bug 1003244

Summary: Permission denied when running virt-alignment-scan using vdsm service on a vdsm image
Product: Red Hat Enterprise Linux 6 Reporter: Yeela Kaplan <ykaplan>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, mmalik, oourfali, sgotliv, ykaplan
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Red Hat Enterprise Linux Server release 6.4 (Santiago) selinux-policy-targeted-3.7.19-195.el6_4.12.noarch libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 selinux-policy-3.7.19-195.el6_4.12.noarch libselinux-python-2.0.94-5.3.el6_4.1.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 vdsm-4.12.0-34.gitbf23a9e.el6_4.x86_64 libguestfs-tools-1.16.34-2.el6.x86_64 python-libguestfs-1.16.34-2.el6.x86_64 libguestfs-1.16.34-2.el6.x86_64
Last Closed: 2013-09-13 14:24:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Yeela Kaplan 2013-09-01 09:16:04 UTC 
Description of problem:

When using vdsm service and running '/usr/bin/virt-alignment-scan' on a vdsm image we get Permission denied when in enforcing mode (it succeeds scan when in permissive mode).

Running '/usr/bin/virt-alignment-scan' as user vdsm from shell will succeed, it only fails when running through the service (using the verb 'getDiskAlignment' from vdsClient or engine).

from shell as vdsm user:

/usr/bin/virt-alignment-scan --add /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285
/dev/sda1      1048576         1024K   ok
/dev/sda2    525336576         1024K   ok

using vdsm service (vdsClient):
vdsClient -s 0 getDiskAlignment 0 446ba2b8-d44e-49b4-87eb-931b18d9d667 4139da9d-cbe9-4590-b939-3a4bbf3966f8 f2e89d67-79ac-4284-b6d5-a90fef9a431b 4824aa4a-af29-4ca2-ac2d-187fcf2fd285

When using verbosity option for virt-alignment-scan we see in the logs:
'could not open disk image /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285: Permission denied'
and:
'libguestfs: error: guestfs_launch failed, see earlier error messages'

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 6.4 (Santiago)

selinux-policy-targeted-3.7.19-195.el6_4.12.noarch
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-195.el6_4.12.noarch
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64

vdsm-4.12.0-34.gitbf23a9e.el6_4.x86_64

libguestfs-tools-1.16.34-2.el6.x86_64
python-libguestfs-1.16.34-2.el6.x86_64
libguestfs-1.16.34-2.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install vdsm, libguestfs
2. setenforce 1
3. run vdsClient -s 0 getDiskAlignment [<vmId> <poolId> <domId> <imgId> <volId>]

Actual results:

Fail to get Image alignment from libguestfs with Permission denied.

Expected results:

libguestfs should succeed scan and return alignment True/False for each partition on the disk image. 





from vdsm log:


Thread-24::DEBUG::2013-09-01 12:09:02,002::alignmentScan::43::Storage.Misc.excCmd::(runScanArgs) '/usr/bin/virt-alignment-scan --add /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285 -v' (cwd None)
Thread-24::DEBUG::2013-09-01 12:09:02,146::alignmentScan::43::Storage.Misc.excCmd::(runScanArgs) FAILED: <err> = "libguestfs: [00000ms] febootstrap-supermin-helper --verbose -f checksum '/usr/lib64/guestfs/supermin.d' x86_64\nsupermin helper [00000ms] whitelist = (not specified), host_cpu = x86_64, kernel = (null), initrd = (null), appliance = (null)\nsupermin helper [00000ms] inputs[0] = /usr/lib64/guestfs/supermin.d\nchecking modpath /lib/modules/2.6.32-358.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-358.el6.x86_64 because modpath /lib/modules/2.6.32-358.el6.x86_64 exists\nchecking modpath /lib/modules/2.6.32-279.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-279.el6.x86_64 because modpath /lib/modules/2.6.32-279.el6.x86_64 exists\nchecking modpath /lib/modules/2.6.32-358.14.1.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-358.14.1.el6.x86_64 because modpath /lib/modules/2.6.32-358.14.1.el6.x86_64 exists\nsupermin helper [00000ms] finished creating kernel\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/base.img\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/daemon.img\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/hostfiles\nsupermin helper [00024ms] visiting /usr/lib64/guestfs/supermin.d/init.img\nsupermin helper [00024ms] adding kernel modules\nsupermin helper [00039ms] finished creating appliance\nlibguestfs: [00041ms] begin testing qemu features\nlibguestfs: [00052ms] finished testing qemu features\nlibguestfs: accept_from_daemon: 0x13378f0 g->state = 1\n[00052ms] /usr/libexec/qemu-kvm \\\n    -global virtio-blk-pci.scsi=off \\\n    -nodefconfig \\\n    -nodefaults \\\n    -nographic \\\n    -drive file=/rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285,snapshot=on,if=virtio \\\n    -nodefconfig \\\n    -machine accel=kvm:tcg \\\n    -m 500 \\\n    -no-reboot \\\n    -device virtio-serial \\\n    -serial stdio \\\n    -device sga \\\n    -chardev socket,path=/tmp/libguestfsRpL8Tf/guestfsd.sock,id=channel0 \\\n    -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \\\n    -kernel /var/tmp/.guestfs-36/kernel.24694 \\\n    -initrd /var/tmp/.guestfs-36/initrd.24694 \\\n    -append 'panic=1 console=ttyS0 udevtimeout=300 no_timer_check acpi=off printk.time=1 cgroup_disable=memory selinux=0 guestfs_verbose=1 TERM=xterm ' \\\n    -drive file=/var/tmp/.guestfs-36/root.24694,snapshot=on,if=virtio,cache=unsafeqemu-kvm: -drive file=/rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285,snapshot=on,if=virtio: could not open disk image /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285: Permission denied\nlibguestfs: child_cleanup: 0x13378f0: child process died\nlibguestfs: error: guestfs_launch failed, see earlier error messages\nlibguestfs: closing guestfs handle 0x13378f0 (state 0)\n"; <rc> = 1
Comment 2 Miroslav Grepl 2013-09-02 12:07:26 UTC 
What AVC msgs are you getting?
Comment 3 Yeela Kaplan 2013-09-10 21:26:06 UTC 
Miroslav,
here are the AVC msgs:

type=AVC msg=audit(1378847535.412:14242): avc:  denied  { read } for  pid=27416 comm="qemu-kvm" name="dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=
system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1378847535.412:14242): arch=c000003e syscall=2 success=no exit=-13 a0=7f97ea5e3970 a1=800 a2=0 a3=0 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid=36 suid=36 fsuid=36
 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1378847535.413:14243): avc:  denied  { getattr } for  pid=27416 comm="qemu-kvm" path="/dev/dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 t
context=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1378847535.413:14243): arch=c000003e syscall=4 success=no exit=-13 a0=7f97ea5e3970 a1=7fffd9822fb0 a2=7fffd9822fb0 a3=0 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid
=36 suid=36 fsuid=36 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1378847535.413:14244): avc:  denied  { read } for  pid=27416 comm="qemu-kvm" name="dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=
system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1378847535.413:14244): arch=c000003e syscall=2 success=no exit=-13 a0=7f97ea5e3970 a1=81000 a2=0 a3=40 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid=36 suid=36 fsuid
=36 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)



Let me know if you need anything else.
Thanks,
Yeela
Comment 4 Daniel Walsh 2013-09-11 17:43:34 UTC 
The problem is we have a transition from initrc_t to qemu_t when running a qemu_exec_t.  Which we should eliminate.
Comment 5 Miroslav Grepl 2013-09-13 14:24:08 UTC 

*** This bug has been marked as a duplicate of bug 1006952 ***