Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1160343

Summary: On a Live migration setup with shared NFS storage, nova instance creation will only work if setenforce 0 is called for selinux
Product: Red Hat OpenStack Reporter: Sean Toner <stoner>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Prasanth Anbalagan <panbalag>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 5.0 (RHEL 6)CC: lhh, mgrepl, panbalag, rhallise, sgordon, stoner, yeylon
Target Milestone: z4Keywords: Rebase, ZStream
Target Release: 6.0 (Juno)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.37-1.el7ost Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Story Points: ---
Clone Of:
: 1211628 (view as bug list) Environment:
Last Closed: 2015-08-24 14:48:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1211628, 1211699, 1211703    
Attachments:
Description Flags
audit.log that shows AVC denied
none
Some steps showing how a repro none

Description Sean Toner 2014-11-04 15:16:12 UTC 
Description of problem:
=======================
On a system setup for live migration, unless selinux is set to permissive, when a user tries to create a nova instance, the following error will be seen in the nova-compute.log

2014-11-03 16:23:35.963 7273 TRACE nova.compute.manager [instance: b5c3c7fe-4f34-478b-8fff-b7a9f83b061e]   File "/usr/lib64/python2.6/site-packages/libvirt.py", line 716, in createWithFlag\
s
2014-11-03 16:23:35.963 7273 TRACE nova.compute.manager [instance: b5c3c7fe-4f34-478b-8fff-b7a9f83b061e]     if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self\
)
2014-11-03 16:23:35.963 7273 TRACE nova.compute.manager [instance: b5c3c7fe-4f34-478b-8fff-b7a9f83b061e] libvirtError: internal error Process exited while reading console log output: 2014-\
11-03T21:23:35.694400Z qemu-kvm: -chardev file,id=charserial0,path=/openstack/instances/b5c3c7fe-4f34-478b-8fff-b7a9f83b061e/console.log: Could not open '/openstack/instances/b5c3c7fe-4f34\
-478b-8fff-b7a9f83b061e/console.log': Permission denied


However, if setenforce 0 is run, the nova instance can be created successfully.  Note also that this is seen in the audit log:

#============= svirt_t ==============
allow svirt_t nova_var_lib_t:file write;


So it looks like selinux is preventing libvirt from creating the instance to the nfs mount point.

How reproducible
================
Always

Steps to Reproduce:
==================
1. Configure a system for live migration
2. create a nova instance
   * nova boot --flavor 1 --image image-id instance-name

Actual results:
===============
instance creation fails, and running nova list will show the instance in an ERROR state (see nova-compute.log)

Expected results:
=================
After instance spawns, it will move into the ACTIVE state
Comment 2 Miroslav Grepl 2014-11-05 07:15:17 UTC 
Could you attach raw AVC msg?
Comment 3 Sean Toner 2014-11-17 18:48:21 UTC 
Created attachment 958313 [details]
audit.log that shows AVC denied

Captured the audit.log while setenforce 1 was enabled and live migration was attempted.  You will see this in the log:

type=AVC msg=audit(1416249751.708:868196): avc:  denied  { write } for  pid=17881 comm="qemu-kvm" name="console.log" dev="0:36" ino=203187846 scontext=system_u:system_r:svirt_tcg_t:s0:c155,c326 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1416249751.708:868196): arch=c000003e syscall=2 success=no exit=-13 a0=7f60573150c0 a1=80241 a2=1b6 a3=7fff4dcb8bb0 items=0 ppid=1 pid=17881 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_tcg_t:s0:c155,c326 key=(null)
Comment 4 Ryan Hallisey 2014-11-18 16:14:55 UTC 
Given the AVC, this rule seems ok.  What do you think Miroslav?

allow svirt_t nova_var_lib_t:file write;
Comment 5 Miroslav Grepl 2014-11-24 11:05:10 UTC 
Where is "console.log" located?
Comment 6 Sean Toner 2015-01-19 14:58:54 UTC 
I am still hitting this issue with the latest RHOS 6.0 

Was there additional information needed?  I have a setup to provide information if it is needed.
Comment 7 Ryan Hallisey 2015-01-19 15:05:19 UTC 
What directory is 'console.log' in?  I'm curious what its path is.
Comment 9 Sean Toner 2015-01-19 19:26:00 UTC 
Created attachment 981585 [details]
Some steps showing how a repro
Comment 10 Lon Hohberger 2015-08-19 18:21:17 UTC 
Testing the above AVC with 0.6.37 and it passes:

type=AVC msg=audit(1416249751.708:868196): avc:  denied  { write } for  pid=17881 comm="qemu-kvm" name="console.log" dev="0:36" ino=203187846 scontext=system_u:system_r:svirt_tcg_t:s0:c155,c326 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.
Comment 12 Prasanth Anbalagan 2015-08-24 11:25:22 UTC 
Moving the bug to verified as I can create instance with selinux turned on.

Version
=========

[root@lynx13 ~(keystone_admin)]# yum list installed | grep openstack-nova
openstack-nova-api.noarch        2014.2.3-25.el7ost      @rhelosp-6.0-puddle    
openstack-nova-cert.noarch       2014.2.3-25.el7ost      @rhelosp-6.0-puddle    
openstack-nova-common.noarch     2014.2.3-25.el7ost      @rhelosp-6.0-puddle    
openstack-nova-conductor.noarch  2014.2.3-25.el7ost      @rhelosp-6.0-puddle    
openstack-nova-console.noarch    2014.2.3-25.el7ost      @rhelosp-6.0-puddle    
openstack-nova-novncproxy.noarch 2014.2.3-25.el7ost      @rhelosp-6.0-puddle    
openstack-nova-scheduler.noarch  2014.2.3-25.el7ost      @rhelosp-6.0-puddle    


Logs
====


[root@lynx13 ~(keystone_admin)]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@lynx13 ~(keystone_admin)]# 


[root@lynx13 ~(keystone_admin)]# nova list
+--------------------------------------+------------------+--------+------------+-------------+---------------------+
| ID                                   | Name             | Status | Task State | Power State | Networks            |
+--------------------------------------+------------------+--------+------------+-------------+---------------------+
| 19e96e49-0b69-4a5a-b81b-80ec1a42048c | instance_cinder  | ACTIVE | -          | Running     | public=172.24.4.227 |
| 7a07c0dc-b98b-4e95-9bc3-dbc8ae4cbade | instance_nfsvol1 | ACTIVE | -          | Running     | public=172.24.4.235 |
+--------------------------------------+------------------+--------+------------+-------------+---------------------+


  299  nova boot --flavor m1.tiny --image cirros --block-device source=volume,id=38617a5c-7298-4f2d-a977-50c29cbedd6e,dest=volume,shutdown=preserve instance_nfsvol1
Comment 14 errata-xmlrpc 2015-08-24 14:48:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1659.html