Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
qemu-kvm should be allowed getattr access on the sanlock filesystem by default.
Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.209.el6
libvirt-lock-sanlock-0.9.4-23.el6
selinux-policy-3.7.19-126.el6
How reproducible:
always
Steps to Reproduce:
1. following this link:
http://fedoraproject.org/wiki/Features/VirtLockManager (see 'Dual host
testing' section)
2. and enable the following selinux booleans:
virt_use_nfs --> on
virt_use_sanlock --> on
Actual results:
"AVC" error in /var/log/audit/audit.log.
Expected results:
allow qemu-kvm getattr access on the sanlock filesystem.
Additional Information:
Source Context system_u:system_r:svirt_t:s0:c451,c888
Target Context system_u:object_r:nfs_t:s0
Target Objects /var/lib/libvirt/sanlock [ filesystem ]
Source qemu-kvm
Source Path /usr/libexec/qemu-kvm
Port <Unknown>
Host localhost.localdomain
Source RPM Packages qemu-kvm-0.12.1.2-2.209.el6
Target RPM Packages libvirt-lock-sanlock-0.9.4-23.el6
Policy RPM selinux-policy-3.7.19-126.el6
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.32-220.el6.x86_64
#1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64
Alert Count 1
First Seen Thu 17 Nov 2011 03:23:51 PM CST
Last Seen Thu 17 Nov 2011 03:23:51 PM CST
Local ID 8ccfe6a3-6d4e-4efb-8988-4702cbb35f92
Raw Audit Messages
type=AVC msg=audit(1321514631.952:90362): avc: denied { getattr } for pid=23083 comm="qemu-kvm" name="/" dev=0:1e ino=1703968 scontext=system_u:system_r:svirt_t:s0:c451,c888 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1321514631.952:90362): arch=x86_64 syscall=fstatfs success=no exit=EACCES a0=7 a1=7fff3771b0a0 a2=2 a3=ffffffffffffff0e items=0 ppid=1 pid=23083 auid=0 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=168 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c451,c888 key=(null)
Hash: qemu-kvm,svirt_t,nfs_t,filesystem,getattr
audit2allow
#============= svirt_t ==============
#!!!! This avc is allowed in the current policy
allow svirt_t nfs_t:filesystem getattr;
audit2allow -R
#============= svirt_t ==============
#!!!! This avc is allowed in the current policy
allow svirt_t nfs_t:filesystem getattr;
Right these AVC's are being allowed in the current policy
#============= svirt_t ==============
#!!!! This avc is allowed in the current policy
allow svirt_t nfs_t:filesystem getattr;
Did you turn on the virt_use_nfs and then report the bug?
(In reply to comment #1)
> I don't think this is really related to sanlock. It just looks like regular NFS
> disk access from the guest.
Yeah, it's just a nfs selinux issue when I try lock manager testing on NFS scenario, '/var/lib/libvirt/sanlock' is a shared directory by chance, so the bug summary includes it, it probably misunderstand you or others.
(In reply to comment #2)
>
> Did you turn on the virt_use_nfs and then report the bug?
Daniel, yeah, you're right, I just double check this issue, I indeed turn on virt_use_nfs selinux booleans, however, this AVC denied is a history record before turning on virt_use_nfs, so virt_use_nfs works well, thanks for your comment.