Bug 1006952
Summary: | Unable to start a QEMU process due to selinux permission errors | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Federico Simoncelli <fsimonce> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4 | CC: | abaron, borgan, danken, ddumas, dwalsh, dyuan, ebenes, eblake, eedri, fsimonce, iheim, jraju, ksrot, mmalik, mtruneck, obasan, tlavigne, ydu, ykaplan, zhwang |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-216.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-11-21 10:51:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1015117 |
Description
Federico Simoncelli
2013-09-11 14:48:06 UTC
The problem is we have a transition from initrc_t to qemu_t when running a qemu_exec_t. Which we should eliminate. $ rpm -q selinux-policy selinux-policy-3.7.19-195.el6_4.12.noarch $ sesearch -A -s initrc_t -t qemu_t -c process -p transition $ rpm -q selinux-policy selinux-policy-3.7.19-215.el6.noarch $ sesearch -A -s initrc_t -t qemu_t -c process -p transition So both returns nothing. Federico, is /usr/share/vdsm/vdsm in the game? Basically we label it as virtd_exec_t and we have qemu_domtrans(virtd_t) in RHEL6. (In reply to Miroslav Grepl from comment #5) > Federico, > is /usr/share/vdsm/vdsm in the game? It shouldn't be. VDSM sends the request to start the vm to libvirt... but it's not involved in file labeling (and it shoulnd't affect any other process context as well). How does it look if you try # ls -lZ /usr/libexec/qemu-kvm # matchpathcon /usr/libexec/qemu-kvm # virsh start <DOMAIN> # ps -efZ |grep svirt (In reply to Miroslav Grepl from comment #7) > How does it look if you try > > # ls -lZ /usr/libexec/qemu-kvm -rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/libexec/qemu-kvm > # matchpathcon /usr/libexec/qemu-kvm /usr/libexec/qemu-kvm system_u:object_r:qemu_exec_t:s0 > # ps -efZ |grep svirt (empty) # ps -eZ |grep qemu system_u:system_r:qemu_t:s0-s0:c0.c1023 20252 ? 00:00:10 qemu-kvm # ps -eZ |grep libvirt system_u:system_r:virtd_t:s0-s0:c0.c1023 2458 ? 00:00:01 libvirtd Ok, I did a test build without qemu_domtrans(virtd_t) and of course now we see # ps -eZ |grep qemu system_u:system_r:virtd_t:s0-s0:c0.c1023 11966 ? 00:00:15 qemu-kvm for a virtual machine. Ok, I got it. The problem is security_driver="none" and if we have qemu_domtrans(virtd_t) we end in the qemu_t domain. Dan, I believe we want to end up with this domain in RHEL6 (MLS). No we should stay in virtd_t, in that case. qemu_t should really be desctroyed as a valid domain. MLS Should blow up, if there is not security label. I have been doing more testing. Basically I wanted to keep the transition and make qemu as unconfined domain to make sure we won't break anything. But yes, I am going to remove it because it looks OK. *** Bug 1003244 has been marked as a duplicate of this bug. *** any ETA on a build we can consume? Itamar, please try to re-test it with the latest build. https://brewweb.devel.redhat.com/buildinfo?buildID=295083 (In reply to Federico Simoncelli from comment #16) It is. with the fix applied, security_driver="none" would be set --- as intended --- only in Ubuntu. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |