Bug 1738845
| Summary: | selinux policy don't allow guest-fsfreeze-freeze command to freeze 'data disk mount point' | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | FuXiangChun <xfu> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | chayang, jinzhao, juzhang, lvrabec, mmalik, plautrba, ssekidde, xiagao, zpytela |
| Target Milestone: | rc | ||
| Target Release: | 8.2 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-03 19:07:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1778780 | ||
*** This bug has been marked as a duplicate of bug 1747960 *** |
Description of problem: Boot RHEL8.1 guest with 2 disks. one is system disk. another is data disk. Then disk format data disk and mount it to /mnt. Sent guest-fsfreeze-freeze to freeze guest file system. But return a error"{"error": {"class": "GenericError", "desc": "failed to open /mnt: Permission denied"}}" If disable selinux inside guest. It works well. Version-Release number of selected component (if applicable): 4.18.0-120.el8.x86_64 qemu-guest-agent-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64 How reproducible: 100% Steps to Reproduce: 1.Boot a RHEL8.1 guest with 2 disks /usr/libexec/qemu-kvm -name avocado-vt-vm1 -machine pc -nodefaults -device VGA,bus=pci.0,addr=0x2 -device virtio-serial-pci,id=virtio-serial1,max_ports=31 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,bus=virtio-serial1.0,chardev=channel2,name=org.qemu.guest_agent.0 -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pci.0,addr=0x5 -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=qcow2,file=/home/kvm_autotest_root/images/rhel810-64-virtio-scsi.qcow2 -device scsi-hd,id=image1,drive=drive_image1 -drive file=/home/data-disk.qcow2,id=data-disk,if=none,snapshot=off,aio=threads,cache=none,format=qcow2 -device virtio-blk-pci,drive=data-disk,id=data-disk1 -m 14336 -smp 12,maxcpus=12,cores=6,threads=1,sockets=2 -cpu Haswell-noTSX,+kvm_pv_unhalt -vnc :0 -rtc base=utc,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off,strict=off -enable-kvm -monitor stdio 2. format data disk and mount it to /mnt #mkfs /dev/vda #mount /dev/vda /mnt 3.# nc -U /tmp/helloworld2 {"execute": "guest-fsfreeze-status"} {"return": "thawed"} {"execute": "guest-fsfreeze-freeze"} Actual results: {"error": {"class": "GenericError", "desc": "failed to open /mnt: Permission denied"}} Expected results: works Additional info: disable selinux inside guest, it works. # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today ---- type=PROCTITLE msg=audit(08/08/2019 17:16:06.257:111) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist=,,,,,,,-status -F/etc/qemu-g type=SYSCALL msg=audit(08/08/2019 17:16:06.257:111) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x555d2daa7040 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1610 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(08/08/2019 17:16:06.257:111) : avc: denied { read } for pid=1610 comm=qemu-ga name=/ dev="vda" ino=128 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(08/08/2019 17:16:06.257:112) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist=,,,,,,,-status -F/etc/qemu-g type=SYSCALL msg=audit(08/08/2019 17:16:06.257:112) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x555d2daa6d40 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1610 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(08/08/2019 17:16:06.257:112) : avc: denied { read } for pid=1610 comm=qemu-ga name=/ dev="vda" ino=128 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0