Bug 1026706

Summary: Application-consistent online backup (qemu-ga freeze/thaw hooks for linux guests)
Product: Red Hat Enterprise Linux 6 Reporter: Sibiao Luo <sluo>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WORKSFORME QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: chayang, dwalsh, juzhang, lersek, michen, qzhang, xfu
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-05 10:11:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sibiao Luo 2013-11-05 09:41:37 UTC 
Description of problem:
when we do bug-reverification for bug 911569 that it fail in the latest qemu-kvm & selinux.

Version-Release number of selected component (if applicable):
host info:
2.6.32-429.el6.x86_64
qemu-kvm-0.12.1.2-2.415.el6.x86_64
guest info:
qemu-guest-agent-0.12.1.2-2.415.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Start guest with virtio serial.
e.g:# /usr/libexec/qemu-kvm -S -M rhel6.5.0 ... -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0
2.install qemu-guest agent package in guest.
3.set FSFREEZE_HOOK_ENABLE=1 for /etc/sysconfig/qemu-ga in guest.
4.added a simple user script in guest.
# cat /usr/libexec/qemu-ga/fsfreeze-hook.d/sample.sh
#!/bin/bash
echo "$0:" "$@"
5.# chmod 777 usr/libexec/qemu-ga/fsfreeze-hook.d/sample.sh
6.Reboot guest to make the configuration effect.
7.Start guest agent with fsfreeze hook enabled inside guest.
# qemu-ga -F on
8.Connect the chardev socket in host side for sending commands to guest.
# nc -U /tmp/qga.sock readline
{"execute":"guest-fsfreeze-freeze" }
{"execute":"guest-fsfreeze-thaw"}

Actual results:
no matter selinux is Enforcing or Permissive, the "guest-fsfreeze-freeze" can run correctly.
# nc -U /tmp/qga.sock readline
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}

Expected results:
after step 8, test it with SELINUX = Enforcing|Permissive status.
- I.SELINUX = Enforcing:
# getenforce 
Enforcing
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}
{"execute":"guest-fsfreeze-freeze" }
{"error": {"class": "GenericError", "desc": "can't access fsfreeze hook '/usr/libexec/qemu-ga/fsfreeze-hook': Permission denied", "data": {"message": "can't access fsfreeze hook '/usr/libexec/qemu-ga/fsfreeze-hook': Permission denied"}}}
- II.SELINUX = Permissive
# setenforce 0
# getenforce 
Permissive
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}
{"execute":"guest-fsfreeze-freeze" }
{"return": 2}
{"execute":"guest-fsfreeze-status"}
{"return": "frozen"}
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}

Additional info:
Comment 1 Sibiao Luo 2013-11-05 09:49:28 UTC 
We did bug verified in bug 911569#c17 with qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.x86_64&selinux-policy-3.7.19-200.el6.noarch.
but when i donwload to qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.x86_64&selinux-policy-3.7.19-207.el6.noarch still hit this issue, so this is selinux-policy regression bug.
Comment 2 Sibiao Luo 2013-11-05 10:11:39 UTC 
(In reply to Sibiao Luo from comment #1)
> We did bug verified in bug 911569#c17 with
> qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.
> x86_64&selinux-policy-3.7.19-200.el6.noarch.
> but when i donwload to
> qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.
> x86_64&selinux-policy-3.7.19-207.el6.noarch still hit this issue, so this is
> selinux-policy regression bug.

Just talked with lersek in IRC that in build 201 mgrepl implemented changes that prevent you from reproducing the bug. in order to reproduce the bug, use 200 or earlier and to verify the fix, use 218 or later. 
So i close this bug to WORKSFORME and will do re-verify the bug 911569 with selinux-218.

Best Regards,
sluo