Bug 1581225

Summary: allow hypervvssd_t to perform stat() on devices
Product: Red Hat Enterprise Linux 7 Reporter: Vitaly Kuznetsov <vkuznets>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: leiwang, lvrabec, mgrepl, mmalik, plautrba, ribarry, ssekidde, xuli, yacao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-197.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:04:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1577692    

Description Vitaly Kuznetsov 2018-05-22 11:46:24 UTC 
There is a bug reported against hyperv-daemons:
https://bugzilla.redhat.com/show_bug.cgi?id=1577692

which may also require us to do z-stream. There is an upstream commit
fixing the issue:

commit ea81fdf0981d9a4a998a015d325bed67624811f7
Author: Alex Ng <alexng.com>
Date:   Sun Aug 6 13:12:52 2017 -0700

    Tools: hv: vss: Skip freezing filesystems backed by loop

(which has its own issues, I'm going to address these upstream).

Anyway, with this commit included hypervvssd tries to do stat() on all block devices in /dev/ and SELinux blocks it:

time->Tue May 22 18:42:07 2018
type=SYSCALL msg=audit(1526985727.990:120): arch=c000003e syscall=4 success=no exit=-13 a0=7fb2ee1ff250 a1=7ffe3c08a7f0 a2=7ffe3c08a7f0 a3=4000 items=0 ppid=1 pid=647 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hypervvssd" exe="/usr/sbin/hypervvssd" subj=system_u:system_r:hypervvssd_t:s0 key=(null)
type=AVC msg=audit(1526985727.990:120): avc:  denied  { getattr } for  pid=647 comm="hypervvssd" path="/dev/dm-0" dev="devtmpfs" ino=9137 scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

We need to get this fixed at least for 7.6 where the hypervvssd commit in question is already present and prepare for z-stream update in case the request will be granted.

audit2allow produces the following output:
allow hypervvssd_t fixed_disk_device_t:blk_file getattr;

but I'm not sure about fixed_disk_device_t as we probably want all block devices.
Comment 6 errata-xmlrpc 2018-10-30 10:04:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111