Bug 1484075
| Summary: | [RFE] Add S3 PR support to qemu (similar to mpathpersist) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Paolo Bonzini <pbonzini> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.4 | CC: | aliang, boruvka.michal, chayang, coli, cww, dpal, jsuchane, juzhang, kchamart, knoel, lvrabec, mgrepl, michen, mmalik, mprivozn, mtessun, mthacker, pbonzini, plautrba, pvrabec, ssekidde, virt-maint, xuwei |
| Target Milestone: | rc | Keywords: | FutureFeature, Reopened |
| Target Release: | 7.5 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1464908 | Environment: | |
| Last Closed: | 2018-04-10 12:38:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1464908, 1519019 | ||
| Bug Blocks: | 1111783, 1111784, 1420851, 1457437, 1470007, 1519021 | ||
Upstream libvirt discussion: https://www.redhat.com/archives/libvir-list/2017-August/msg00631.html The daemon is now in Fedora 27. For testing instructions, see bug 1464908 comment 4. Let me know (outside BZ) if you need more configuration instructions. Issue is fixed in Fedora. We can backport it. Adding devel_ack+ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
A new daemon will be added to the qemu-kvm package. The daemon should in general have the same permissions as the lvm_t context. Based on some experiments with setroubleshoot, this is what it found require { type paolo_t; type fixed_disk_device_t; type var_run_t; type lvm_control_t; type sysctl_fs_t; type user_home_t; type udev_var_run_t; type lvm_var_run_t; class file { execute getattr open read }; class chr_file { getattr ioctl open read write }; class dir { add_name remove_name write }; class sock_file { create unlink }; class process setcap; class capability { setpcap sys_admin sys_rawio }; class blk_file { getattr ioctl open read write }; } allow paolo_t fixed_disk_device_t:blk_file { getattr ioctl open read write }; allow paolo_t lvm_control_t:chr_file { getattr ioctl open read write }; allow paolo_t lvm_t:unix_stream_socket connectto; allow paolo_t self:capability { setpcap sys_admin sys_rawio }; allow paolo_t self:process setcap; allow paolo_t sysctl_fs_t:file { getattr open read }; allow paolo_t udev_var_run_t:file { getattr open read }; allow paolo_t lvm_var_run_t:sock_file unlink; allow paolo_t var_run_t:dir { add_name remove_name write }; allow paolo_t var_run_t:sock_file create; The lvm_var_run_t and var_run_t entries are due to the daemon's socket, which is /var/run/qemu/qemu-pr-helper.sock. Any qemu_t should be able to connect to this socket, because all operations that the daemon does are on file descriptors that QEMU already has. If that's not possible, it's okay to hide it behind a boolean that RHV can enable.