Bug 1448799

Summary: SELinux is preventing /usr/libexec/qemu-kvm from search access on process directory of sanlock daemon
Product: Red Hat Enterprise Linux 7 Reporter: Han Han <hhan>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dyuan, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, xuzhang
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:00:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Han Han 2017-05-08 08:10:22 UTC 
Description of problem:
As subject

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.9.0-3.el7.x86_64
libvirt-3.2.0-4.virtcov.el7.x86_64
sanlock-3.5.0-1.el7.x86_64
selinux-policy-3.13.1-147.el7.noarch

How reproducible:
50%

Steps to Reproduce:
1. Do as https://bugzilla.redhat.com/show_bug.cgi?id=1403691#c32 
When start the VM, sometimes you will get a selinux alert:
SELinux is preventing /usr/libexec/qemu-kvm from search access on the directory 15056.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-kvm should be allowed search access on the 15056 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm
# semodule -i my-qemukvm.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c638,c927
Target Context                system_u:system_r:sanlock_t:s0-s0:c0.c1023
Target Objects                15056 [ dir ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           qemu-kvm-rhev-2.9.0-3.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-147.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     wlan-69-196.nay.redhat.com
Platform                      Linux wlan-69-196.nay.redhat.com
                              3.10.0-663.el7.x86_64 #1 SMP Tue May 2 16:00:29
                              EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-05-08 15:19:20 CST
Last Seen                     2017-05-08 15:19:20 CST
Local ID                      2e2c7a0e-bd93-4489-958a-eedc74d69f23

Raw Audit Messages
type=AVC msg=audit(1494227960.386:3972): avc:  denied  { search } for  pid=7891 comm="qemu-kvm" name="15056" dev="proc" ino=8640215 scontext=system_u:system_r:svirt_t:s0:c638,c927 tcontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=dir


type=SYSCALL msg=audit(1494227960.386:3972): arch=x86_64 syscall=open success=no exit=EACCES a0=556549a9e620 a1=0 a2=7fffea39f110 a3=0 items=0 ppid=1 pid=7891 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c638,c927 key=(null)

Hash: qemu-kvm,svirt_t,sanlock_t,dir,search


Actual results:
As above

Expected results:
Selinux allows qemu-kvm search access on process directory of sanlock daemon.

Additional info:
Comment 9 errata-xmlrpc 2018-10-30 10:00:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111