Bug 1247880
| Summary: | [Hyper-V][RHEL 7.2] selinux preventing VSS live backup if there is home partition | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | ldu <ldu> | ||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 7.2 | CC: | dwalsh, jopoulso, ldu, leiwang, lmiksik, lvrabec, mgrepl, mmalik, nmeier, plautrba, pvrabec, ssekidde, v-chvale, vkuznets, vyadav, yacao | ||||||
| Target Milestone: | rc | Keywords: | Reopened | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Windows | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.13.1-60.el7 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | 1229888 | Environment: | |||||||
| Last Closed: | 2015-11-19 10:42:41 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1229888 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Comment 1
ldu
2015-07-29 07:30:07 UTC
Created attachment 1057222 [details]
guest backup fail message.
Created attachment 1057223 [details]
tht host backup fail info
Could you attach AVCs related to RHEL-7.2? Thank you. (In reply to Miroslav Grepl from comment #4) > Could you attach AVCs related to RHEL-7.2? > > Thank you. The AVC log as below: time->Wed Jul 29 16:20:31 2015 type=SYSCALL msg=audit(1438158031.808:354): arch=c000003e syscall=83 success=no exit=-13 a0=7f3b38fba86f a1=1c0 a2=180 a3=8 items=0 ppid=1939 pid=2908 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ebtables" exe="/usr/sbin/ebtables" subj=system_u:system_r:iptables_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1438158031.808:354): avc: denied { write } for pid=2908 comm="ebtables" name="lib" dev="dm-0" ino=134320326 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir ---- time->Wed Jul 29 16:38:20 2015 type=SYSCALL msg=audit(1438159100.673:397): arch=c000003e syscall=2 success=no exit=-13 a0=7f38dbf49266 a1=0 a2=0 a3=1e items=0 ppid=1 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hypervvssd" exe="/usr/sbin/hypervvssd" subj=system_u:system_r:hypervvssd_t:s0 key=(null) type=AVC msg=audit(1438159100.673:397): avc: denied { read } for pid=1283 comm="hypervvssd" name="/" dev="dm-2" ino=192 scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir ---- time->Wed Jul 29 16:38:20 2015 type=SYSCALL msg=audit(1438159100.673:398): arch=c000003e syscall=2 success=no exit=-13 a0=7f38dbf49266 a1=0 a2=0 a3=1e items=0 ppid=1 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hypervvssd" exe="/usr/sbin/hypervvssd" subj=system_u:system_r:hypervvssd_t:s0 key=(null) type=AVC msg=audit(1438159100.673:398): avc: denied { read } for pid=1283 comm="hypervvssd" name="/" dev="dm-2" ino=192 scontext=system_u What does rpm -q selinux-policy-targeted (In reply to Miroslav Grepl from comment #6) > What does > > rpm -q selinux-policy-targeted [root@vm-106-138 ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-33.el7.noarch And what does # ls -dZ /var/lib/ebtables # matchpathcon /var/lib/ebtables (In reply to Miroslav Grepl from comment #8) > And what does > > # ls -dZ /var/lib/ebtables > > # matchpathcon /var/lib/ebtables Hi Grepl, In my test guest, there is no ebtales. [root@vm-106-138 ~]# ls -dZ /var/lib/ebtables ls: cannot access /var/lib/ebtables: No such file or directory When the machine is in enforcing mode, then the /var/lib/ebtables directory is not created at all. Then we need to allow it. Is it created by eptables running under iptables_t. *** This bug has been marked as a duplicate of bug 1246097 *** This bug is NOT a duplicate of BZ#1246097. We need to address the AVCs from comment#0. We need following rule in policy:
allow hypervvssd_t home_root_t : dir { read }
and this too:
allow hypervvssd_t binfmt_misc_fs_t : dir { read }
Is this a blocker for 7.2? (In reply to Miroslav Grepl from comment #17) > Is this a blocker for 7.2? I think this bug is blocker issue, if the SElinux enable, the backup function can not be used. And does it work with a local policy?
Idu,
could you please test it with
$ cat mypol.te
policy_module(mypol,1.0)
require{
type hypervvssd_t;
}
files_list_all_mountpoints(hypervvssd_t)
and run
# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.p
and re-test it. Thank you.
(In reply to Miroslav Grepl from comment #19) > And does it work with a local policy? > > Idu, > could you please test it with > > $ cat mypol.te > policy_module(mypol,1.0) > > require{ > type hypervvssd_t; > } > > files_list_all_mountpoints(hypervvssd_t) > > > and run > > # make -f /usr/share/selinux/devel/Makefile mypol.pp > # semodule -i mypol.p > > and re-test it. Thank you. Sorry for later to reply, I had re-test it with the policy, the backup can works well, this policy could fix this issue. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |