Bug 1651330
Summary: | RHOS14: selinux denies access on the file /usr/libexec/qemu-kvm | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | bkopilov <bkopilov> |
Component: | openstack-selinux | Assignee: | Zoli Caplovic <zcaplovi> |
Status: | CLOSED ERRATA | QA Contact: | Jon Schlueter <jschluet> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 14.0 (Rocky) | CC: | lhh, mgrepl, tshefi, zcaplovi |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 14.0 (Rocky) | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openstack-selinux-0.8.15-1.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-01-11 11:54:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
bkopilov
2018-11-19 17:35:17 UTC
[root@localhost openstack-selinux]# audit2allow type=AVC msg=audit(1542647568.835:3798): avc: denied { entrypoint } for pid=77210 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=33653770 scontext=system_u:system_r:svirt_tcg_t:s0:c406,c900 tcontext=system_u:object_r:container_share_t:s0 tclass=file permissive=0 #============= svirt_tcg_t ============== allow svirt_tcg_t container_share_t:file entrypoint; 0.8.15 has allows for this, but the DLRN build predates the required change. The DLRN build is from upstream commit commit 4a047a052cb174f2ff055b7be4513c95575d40a5. The next two commits in the chain fix this, so it should be working with the 0.8.15-1 build. I've tagged the build over since Zoli has already built it for OSP13 and prior. Adding background info, bug happens when booting a VM using qemu rather then default KVM. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:0045 |