Bug 738188

Summary: SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /var/run/sanlock/sanlock.sock
Product: Red Hat Enterprise Linux 6 Reporter: Alex Jia <ajia>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: berrange, dwalsh, mmalik, mzhan, rwu
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-112.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:18:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743047    

Description Alex Jia 2011-09-14 09:58:20 UTC
Description of problem:
SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /var/run/sanlock/sanlock.sock.

Version-Release number of selected component (if applicable):
# uname -r
2.6.32-193.el6.x86_64

# rpm -qa|grep selinux
libselinux-2.0.94-5.1.el6.x86_64
selinux-policy-targeted-3.7.19-109.el6.noarch
libselinux-utils-2.0.94-5.1.el6.x86_64
libselinux-devel-2.0.94-5.1.el6.x86_64
libselinux-python-2.0.94-5.1.el6.x86_64
selinux-policy-3.7.19-109.el6.noarch


How reproducible:
always.

Steps to Reproduce:
1. please refer to https://bugzilla.redhat.com/show_bug.cgi?id=735442
2.
3.
  
Actual results:
type=AVC msg=audit(1315970963.788:47623): avc:  denied  { connectto } for  pid=30081 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c525,c976 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket

Expected results:
allow libvirt to access /var/run/sanlock/sanlock.sock file.

Additional info:

SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /var/run/sanlock/sanlock.sock.

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c525,c976
Target Context                unconfined_u:system_r:sanlock_t:s0
Target Objects                /var/run/sanlock/sanlock.sock [ unix_stream_socket
                              ]
Source                        libvirtd
Source Path                   /usr/sbin/libvirtd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           libvirt-0.9.4-11.el6
Target RPM Packages
Policy RPM                    selinux-policy-3.7.19-109.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.32-193.el6.x86_64
                              #1 SMP Mon Aug 29 11:19:20 EDT 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 14 Sep 2011 11:29:23 AM CST
Last Seen                     Wed 14 Sep 2011 11:29:23 AM CST
Local ID                      047cc8ae-1acb-4685-858c-9bcb0e119c7f

Raw Audit Messages
type=AVC msg=audit(1315970963.788:47623): avc:  denied  { connectto } for  pid=30081 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c525,c976 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1315970963.788:47623): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7f69615dba30 a2=6e a3=fffffff4 items=0 ppid=1 pid=30081 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=libvirtd exe=/usr/sbin/libvirtd subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)

Hash: libvirtd,svirt_t,sanlock_t,unix_stream_socket,connectto

audit2allow

#============= svirt_t ==============
allow svirt_t sanlock_t:unix_stream_socket connectto;

audit2allow -R

#============= svirt_t ==============
allow svirt_t sanlock_t:unix_stream_socket connectto;

Comment 1 Miroslav Grepl 2011-09-14 10:32:32 UTC
I would add a new boolean 

optional_policy(`
    tunable_policy(`virt_use_sanlock',`
        sanlock_stream_connect(svirt_t)
    ')
')

I see there is also

type=AVC msg=audit(1315969550.576:47483): avc:  denied  { kill } for  pid=28772
comm="sanlock" capability=5  scontext=unconfined_u:system_r:sanlock_t:s0
tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=capability

Comment 2 Daniel Walsh 2011-09-15 14:43:10 UTC
Looks good to me.

Comment 5 Alex Jia 2011-09-28 09:18:40 UTC
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=738529.

Comment 7 errata-xmlrpc 2011-12-06 10:18:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html