| Summary: | SELinux error (setattr) for VM/KVM universe jobs (RHEL5 only) | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Luigi Toscano <ltoscano> | |
| Component: | condor-vm-gahp | Assignee: | Timothy St. Clair <tstclair> | |
| Status: | CLOSED ERRATA | QA Contact: | Luigi Toscano <ltoscano> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 2.1 | CC: | matt, tstclair | |
| Target Milestone: | 2.3 | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | condor-7.8.2-0.1 | Doc Type: | Bug Fix | |
| Doc Text: |
C: Running VM Universe jobs on RHEL5.
C: The VM-Gahp attempts to update the utime for the image without the correct permissions.
F: Remove logic inside of the VM-Gahp to update utime for the image because that is a responsibility of the hypervisor.
R: The condor_vm-gahp should no longer trigger a SELinux error.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 751385 (view as bug list) | Environment: | ||
| Last Closed: | 2013-03-06 18:39:31 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | 751385 | |||
| Bug Blocks: | ||||
So the only place we touch the image is when we set the access time (utime) if the image is writable. Arguably the gahp should not be doing this at all b/c it should be a responsibility of the hypervisor. As a result I've eliminated the utime updates to the vm_disk
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
C: Running VM Universe jobs on RHEL5.
C: The VM-Gahp attempts to update the utime for the image without the correct permissions.
F: Remove logic inside of the VM-Gahp to update utime for the image because that is a responsibility of the hypervisor.
R: The condor_vm-gahp should no longer trigger a SELinux error.
Fix verified on RHEL5.9, x86_64. condor-7.8.8-0.4.1.el5 condor-classads-7.8.8-0.4.1.el5 condor-vm-gahp-7.8.8-0.4.1.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0564.html |
Description of problem: When condor-vm-gahp runs a KVM/VM job, the following error can be seen in /var/log/message: SELinux is preventing condor_vm-gahp (initrc_t) "setattr" to ./testvm.img (svirt_image_t). For complete SELinux messages. run sealert -l e57ca993-1ff2-45c2-bd24-ae2a0d7e573e -------------------------------------------- Excerpts from the output of sealert: host=... type=AVC msg=audit(1320237390.206:506): avc: denied { setattr } for pid=675 comm="condor_vm-gahp" name="testvm.img" dev=dm-0 ino=4751773 scontext=root:system_r:initrc_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c242,c576 tclass=file host=... type=SYSCALL msg=audit(1320237390.206:506): arch=c000003e syscall=132 success=no exit=-13 a0=1cf42840 a1=7fffac450580 a2=0 a3=ea items=0 ppid=672 pid=675 auid=0 uid=0 gid=0 euid=64 suid=0 fsuid=64 egid=64 sgid=0 fsgid=64 tty=(none) ses=5 comm="condor_vm-gahp" exe="/usr/sbin/condor_vm-gahp" subj=root:system_r:initrc_t:s0 key=(null) The job is successfully executed despite the error. Job file: --------------- Universe=vm Executable=testvm Log=$(cluster).vm.log VM_TYPE=kvm VM_MEMORY=768 VM_DISK=/var/lib/libvirt/images/testvm.img:vda:w Queue --------------- # ls -Z /var/lib/libvirt/images/testvm.img -rwxr-xr-x root root system_u:object_r:svirt_image_t:s0:c242,c576 /var/lib/libvirt/images/testvm.img ("restorecon -vF /var/lib/libvirt/images/testvm.img" was also executed but it did not change anything). The error can be seen on RHEL5.x (5.7) only, not on RHEL 6.2. Version-Release number of selected component (if applicable): condor-7.6.5-0.4 condor-classads-7.6.5-0.4 condor-vm-gahp-7.6.5-0.4