Bug 1753535

Summary: Permission denied error with Posix Ceph backend
Product: Red Hat Enterprise Linux 8 Reporter: gaojianan <jgao>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.0CC: 754267513, bugs, bzlotnik, chhu, dyuan, ebenahar, eshenitz, hannsj_uhl, hhan, jgao, lsvaty, lvrabec, mmalik, mst, plautrba, shalygin.k, ssekidde, tnisan, toneata, xuzhang, yafu, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1558836 Environment:
Last Closed: 2020-06-01 12:25:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1558836    
Bug Blocks: 1653106, 1672178    

Comment 1 Han Han 2019-09-19 09:33:24 UTC 
Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of this deny issue in audit log or related selinux log in /var/log/messages
Comment 3 gaojianan 2019-09-19 10:18:48 UTC 
(In reply to Han Han from comment #1)
> Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of
> this deny issue in audit log or related selinux log in /var/log/messages

Version info:
libvirt-daemon-5.0.0-12.module+el8.0.1+3755+6782b0ed.x86_64
qemu-kvm-3.1.0-30.module+el8.0.1+3755+6782b0ed.x86_64
selinux-policy-3.14.1-61.el8_0.2.noarch

Log in audit.log:
type=AVC msg=audit(1568880126.774:1360): avc:  denied  { read } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1360): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=564e92e2b460 a2=80800 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1360): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1361): avc:  denied  { getattr } for  pid=21640 comm="qemu-kvm" path="/mnt/cephfs/qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1361): arch=c000003e syscall=4 success=no exit=-13 a0=564e92e2b460 a1=7ffd1c622f20 a2=7ffd1c622f20 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=stat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1361): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1362): avc:  denied  { read write } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0


And this issue only can be reproduced in RHEL8.0.1,there is no problem in RHEL8.1.0
Version info for 8.1.0:
libvirt-5.6.0-4.module+el8.1.0+4160+b50057dc.x86_64
qemu-kvm-4.1.0-9.module+el8.1.0+4210+23b2046a.x86_64
selinux-policy-3.14.3-19.el8.noarch
Comment 15 Konstantin Shalygin 2020-05-28 07:39:59 UTC 
Fix for EL7 is also needed.
Comment 16 Zdenek Pytela 2020-05-28 16:13:30 UTC 
Konstantin,

The next RHEL 7 minor release will be in Maintenance Support 2 Phase, so business justification meeting the requirements is a requisite.

If you believe your request qualifies, please open a support case.
Comment 17 gaojianan 2020-06-01 01:48:50 UTC 
Since we don't have business justification for Z-stream, i think it's ok to close this bz CURRENTRELEASE.
Comment 18 Zdenek Pytela 2020-06-01 12:25:08 UTC 
As current supported versions were confirmed working, closing CURRENTRELEASE. Feel free to create a new bz in case of outstanding issue.