Bug 1208458
| Summary: | SELinux denial on sanlock prevents hosted-engine to deploy on iSCSI on rhel 7.1 and centos 7.1 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Simone Tiraboschi <stirabos> | ||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 7.1 | CC: | alukiano, amureini, bmcclain, ecohen, jrieden, lsurette, lvrabec, mgrepl, mmalik, nsoffer, plautrba, pvrabec, rbalakri, ssekidde, stirabos, tnisan, yeylon | ||||||
| Target Milestone: | pre-dev-freeze | Keywords: | Regression, ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.13.1-25.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 1227466 (view as bug list) | Environment: | |||||||
| Last Closed: | 2015-11-19 10:30:12 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1024686, 1035038, 1036731, 1150073, 1150087, 1173669, 1178535, 1213878, 1227466 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1010099 [details]
logs
It happens also on RHEL 7.1 with
selinux-policy.noarch 3.13.1-23.el7 @anaconda/7.1
selinux-policy-targeted.noarch 3.13.1-23.el7 @anaconda/7.1
[root@rhel71t1 ~]# ausearch -m avc
----
time->Thu Apr 2 14:08:53 2015
type=SYSCALL msg=audit(1427976533.526:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7effb2a71410 a1=105002 a2=0 a3=1 items=0 ppid=1 pid=13309 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1427976533.526:1222): avc: denied { read } for pid=13309 comm="sanlock" name="b8cd0cbb-5954-4cff-96c6-7229933d8ca4" dev="tmpfs" ino=61643 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=lnk_file
Created attachment 1010133 [details]
log rhel 71
# sesearch -s sanlock_t -t virt_var_run_t -A -C
Found 2 semantic av rules:
allow sanlock_t virt_var_run_t : file { ioctl read getattr lock open } ;
allow sanlock_t virt_var_run_t : dir { getattr search open } ;
#
Current selinux-policy does not contain an allow rule for symbolic link.
Simone, IIUC, this is a regression, isn't it? *** Bug 1213878 has been marked as a duplicate of this bug. *** (In reply to Allon Mureinik from comment #6) > Simone, IIUC, this is a regression, isn't it? Yes, it is. Not sure on which product. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: SELinux denial on sanlock prevents hosted-engine to deploy on centos 7.1 hosted-engine setup fails with: [ INFO ] Verifying sanlock lockspace initialization [ ERROR ] Failed to execute stage 'Misc configuration': (19, 'Sanlock lockspace write failure', 'No such device') [ INFO ] Stage: Clean up [ INFO ] Generating answer file '/var/lib/ovirt-hosted-engine-setup/answers/answers-20150402121956.conf' [ INFO ] Stage: Pre-termination [ INFO ] Stage: Termination And I found: [root@c7t1 ~]# ausearch -m avc ---- time->Thu Apr 2 12:19:51 2015 type=SYSCALL msg=audit(1427969991.216:1177): arch=c000003e syscall=2 success=no exit=-13 a0=7f48942c2410 a1=105002 a2=0 a3=1 items=0 ppid=1 pid=792 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1427969991.216:1177): avc: denied { read } for pid=792 comm="sanlock" name="37cb6430-1a68-40b4-857b-25bfcca6cec5" dev="tmpfs" ino=46631 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=lnk_file Version-Release number of selected component (if applicable): CentOS Linux release 7.1.1503 (Core) libvirt-lock-sanlock.x86_64 1.2.8-16.el7_1.2 @updates sanlock.x86_64 3.2.2-2.el7 @base selinux-policy.noarch 3.13.1-23.el7 @anaconda selinux-policy-targeted.noarch 3.13.1-23.el7 @anaconda How reproducible: 100% Steps to Reproduce: 1. deploy hosted-engine over iSCSI 2. 3. Actual results: it fails with: [ ERROR ] Failed to execute stage 'Misc configuration': (19, 'Sanlock lockspace write failure', 'No such device') cause I got an SELinux denial on sanlock type=AVC msg=audit(1427969991.216:1177): avc: denied { read } for pid=792 comm="sanlock" name="37cb6430-1a68-40b4-857b-25bfcca6cec5" dev="tmpfs" ino=46631 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=lnk_file Expected results: it works Additional info: