Bug 754649

Summary: SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the filesystem /var/lib/libvirt/sanlock
Product: Red Hat Enterprise Linux 6 Reporter: Alex Jia <ajia>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: berrange, dwalsh, gsun, mzhan, rwu
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-17 21:37:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alex Jia 2011-11-17 08:54:43 UTC 
Description of problem:
qemu-kvm should be allowed getattr access on the sanlock filesystem by default.

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.209.el6
libvirt-lock-sanlock-0.9.4-23.el6
selinux-policy-3.7.19-126.el6

How reproducible:
always

Steps to Reproduce:
1. following this link:
http://fedoraproject.org/wiki/Features/VirtLockManager  (see 'Dual host
testing' section)

2. and enable the following selinux booleans:
virt_use_nfs --> on
virt_use_sanlock --> on

Actual results:
"AVC" error in /var/log/audit/audit.log.


Expected results:
allow qemu-kvm getattr access on the sanlock filesystem.

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c451,c888
Target Context                system_u:object_r:nfs_t:s0
Target Objects                /var/lib/libvirt/sanlock [ filesystem ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           qemu-kvm-0.12.1.2-2.209.el6
Target RPM Packages           libvirt-lock-sanlock-0.9.4-23.el6
Policy RPM                    selinux-policy-3.7.19-126.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.32-220.el6.x86_64
                              #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 17 Nov 2011 03:23:51 PM CST
Last Seen                     Thu 17 Nov 2011 03:23:51 PM CST
Local ID                      8ccfe6a3-6d4e-4efb-8988-4702cbb35f92

Raw Audit Messages
type=AVC msg=audit(1321514631.952:90362): avc:  denied  { getattr } for  pid=23083 comm="qemu-kvm" name="/" dev=0:1e ino=1703968 scontext=system_u:system_r:svirt_t:s0:c451,c888 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem


type=SYSCALL msg=audit(1321514631.952:90362): arch=x86_64 syscall=fstatfs success=no exit=EACCES a0=7 a1=7fff3771b0a0 a2=2 a3=ffffffffffffff0e items=0 ppid=1 pid=23083 auid=0 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=168 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c451,c888 key=(null)

Hash: qemu-kvm,svirt_t,nfs_t,filesystem,getattr

audit2allow

#============= svirt_t ==============
#!!!! This avc is allowed in the current policy

allow svirt_t nfs_t:filesystem getattr;

audit2allow -R

#============= svirt_t ==============
#!!!! This avc is allowed in the current policy

allow svirt_t nfs_t:filesystem getattr;
Comment 1 Daniel Berrangé 2011-11-17 10:12:11 UTC 
I don't think this is really related to sanlock. It just looks like regular NFS disk access from the guest.
Comment 2 Daniel Walsh 2011-11-17 21:37:15 UTC 
Right these AVC's are being allowed in the current policy 

#============= svirt_t ==============
#!!!! This avc is allowed in the current policy

allow svirt_t nfs_t:filesystem getattr;

Did you turn on the virt_use_nfs and then report the bug?
Comment 3 Alex Jia 2011-11-18 03:31:03 UTC 
(In reply to comment #1)
> I don't think this is really related to sanlock. It just looks like regular NFS
> disk access from the guest.

Yeah, it's just a nfs selinux issue when I try lock manager testing on NFS scenario, '/var/lib/libvirt/sanlock' is a shared directory by chance, so the bug summary includes it, it probably misunderstand you or others.
Comment 4 Alex Jia 2011-11-18 11:57:18 UTC 
(In reply to comment #2)
> 
> Did you turn on the virt_use_nfs and then report the bug?
Daniel, yeah, you're right, I just double check this issue, I indeed turn on virt_use_nfs selinux booleans, however, this AVC denied is a history record before turning on virt_use_nfs, so virt_use_nfs works well, thanks for your comment.