Bug 2047811
| Summary: | selinux denial for sanlock during host deployment | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Sandro Bonazzola <sbonazzo> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, jwboyer, lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 9.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.23-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:50:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1986335 | ||
Sandro,
Can you switch the system to SELinux permissive mode and reproduce the scenario?
Do you know what filesystem is on dm-3?
# setenforce 0
<reproduce>
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
This is the denial interpreted:
----
type=PROCTITLE msg=audit(01/28/2022 09:41:01.094:1832) : proctitle=/usr/sbin/sanlock daemon
type=AVC msg=audit(01/28/2022 09:41:01.094:1832) : avc: denied { getattr } for pid=37165 comm=sanlock name=/ dev="dm-3" ino=128 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
type=SYSCALL msg=audit(01/28/2022 09:41:01.094:1832) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fdade30b49d a1=0x7ffeeeb41a70 a2=0x49 a3=0x1000 items=0 ppid=1 pid=37165 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918 |
While deploying oVirt node got selinux denial: time->Fri Jan 28 14:41:01 2022 type=PROCTITLE msg=audit(1643380861.094:1832): proctitle=2F7573722F7362696E2F73616E6C6F636B006461656D6F6E type=SYSCALL msg=audit(1643380861.094:1832): arch=c000003e syscall=137 success=no exit=-13 a0=7fdade30b49d a1=7ffeeeb41a70 a2=49 a3=1000 items=0 ppid=1 pid=37165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1643380861.094:1832): avc: denied { getattr } for pid=37165 comm="sanlock" name="/" dev="dm-3" ino=128 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 # rpm -qa |grep sanlock sanlock-lib-3.8.4-1.el9.x86_64 sanlock-3.8.4-1.el9.x86_64 python3-sanlock-3.8.4-1.el9.x86_64 libvirt-lock-sanlock-8.0.0-2.el9.x86_64 # rpm -qa |grep selinux libselinux-3.3-2.el9.x86_64 libselinux-utils-3.3-2.el9.x86_64 rpm-plugin-selinux-4.16.1.3-9.el9.x86_64 selinux-policy-34.1.22-1.el9.noarch selinux-policy-targeted-34.1.22-1.el9.noarch python3-libselinux-3.3-2.el9.x86_64 glusterfs-selinux-2.0.1-1.el9s.noarch openvswitch-selinux-extra-policy-1.0-30.el9s.noarch ipa-selinux-4.9.8-1.el9.noarch