Bug 1539938

Summary: [Hyper-V] hypervvssd and selinux denials
Product: Red Hat Enterprise Linux 7 Reporter: Chris Cheney <ccheney>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: ccheney, cww, dapospis, leiwang, lvrabec, mgrepl, mmalik, plautrba, ssekidde, xuli, yacao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:02:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1477664    

Description Chris Cheney 2018-01-29 22:48:20 UTC
Occurs every time a Checkpoint/DPM "creation" like action occurs.

---

Seeing the following error with the following packages installed:

selinux-policy-3.13.1-166.el7_4.5.noarch                    Sun Nov 26 03:14:59 2017
selinux-policy-targeted-3.13.1-166.el7_4.5.noarch           Sun Nov 26 03:15:05 2017


BZ #1331309 does not appear to have fixed this issue.

---

Dec 18 20:14:54 localhost journal: Hyper-V VSS: VSS: op=CHECK HOT BACKUP
Dec 18 20:14:54 localhost journal: Hyper-V VSS: FREEZE of /nfsdata/sftpprod failed; error:13 Permission denied
Dec 18 20:14:54 localhost journal: Hyper-V VSS: VSS: op=FREEZE: failed
Dec 18 20:14:54 localhost journal: Hyper-V VSS: op=5 failed!
Dec 18 20:14:54 localhost journal: Hyper-V VSS: report it with these files:
Dec 18 20:14:54 localhost journal: Hyper-V VSS: /etc/fstab and /proc/mounts

---

/etc/fstab entry

/dev/sdb1   /nfsdata/sftpprod                       xfs     defaults        0 0

/proc/mounts entry

/dev/sdb1 /nfsdata/sftpprod xfs rw,seclabel,relatime,attr2,inode64,noquota 0 0

---

# ausearch -m avc -ts recent
----
time->Tue Jan 23 18:09:26 2018
type=PROCTITLE msg=audit(1516748966.175:15729003): proctitle=2F7573722F7362696E2F68797065727676737364002D6E
type=PATH msg=audit(1516748966.175:15729003): item=0 name="/nfsdata/sftpprod" objtype=UNKNOWN
type=CWD msg=audit(1516748966.175:15729003):  cwd="/"
type=SYSCALL msg=audit(1516748966.175:15729003): arch=c000003e syscall=2 success=no exit=-13 a0=55bf9d9f525a a1=0 a2=0 a3=1e items=1 ppid=1 pid=189725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hypervvssd" exe="/usr/sbin/hypervvssd" subj=system_u:system_r:hypervvssd_t:s0 key=(null)
type=AVC msg=audit(1516748966.175:15729003): avc:  denied  { dac_read_search } for  pid=189725 comm="hypervvssd" capability=2  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability
type=AVC msg=audit(1516748966.175:15729003): avc:  denied  { dac_override } for  pid=189725 comm="hypervvssd" capability=1  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability
----
time->Tue Jan 23 18:09:26 2018
type=PROCTITLE msg=audit(1516748966.175:15729004): proctitle=2F7573722F7362696E2F68797065727676737364002D6E
type=PATH msg=audit(1516748966.175:15729004): item=0 name="/nfsdata/sftpprod" objtype=UNKNOWN
type=CWD msg=audit(1516748966.175:15729004):  cwd="/"
type=SYSCALL msg=audit(1516748966.175:15729004): arch=c000003e syscall=2 success=no exit=-13 a0=55bf9d9f525a a1=0 a2=0 a3=1e items=1 ppid=1 pid=189725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hypervvssd" exe="/usr/sbin/hypervvssd" subj=system_u:system_r:hypervvssd_t:s0 key=(null)
type=AVC msg=audit(1516748966.175:15729004): avc:  denied  { dac_read_search } for  pid=189725 comm="hypervvssd" capability=2  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability
type=AVC msg=audit(1516748966.175:15729004): avc:  denied  { dac_override } for  pid=189725 comm="hypervvssd" capability=1  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability

Comment 2 Milos Malik 2018-01-30 11:33:53 UTC
Could you run following commands and attach here the output?

# ls -l /nfsdata/sftpprod
# ls -dZ /nfsdata/sftpprod

Comment 3 Chris Cheney 2018-01-30 16:04:43 UTC
The -Z output is the following, I'll have to check for the other:

drwxr-xr-x. sftpprod sftpprod system_u:object_r:default_t:s0   sftpprod

Comment 11 errata-xmlrpc 2018-10-30 10:02:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111