Bug 855287

Summary:	SELinux is preventing /usr/libexec/qemu-kvm from getattr access on Posix Compliant FS storage type
Product:	Red Hat Enterprise Linux 6	Reporter:	Anush Shetty <ashetty>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED DUPLICATE	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	6.3	CC:	dwalsh, dyasny, fsimonce, hateya, iheim, lpeer, Rhev-m-bugs, sforsber, yeylon, ykaul
Target Milestone:	beta
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	storage
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-10-09 12:36:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Anush Shetty 2012-09-07 08:35:23 UTC

Description of problem: While installing the ISO on VM from RHEVM, we see some permission denied errors. Running sealert on audit log shows selinux preventing /usr/libexec/qemu-kvm from read access on the file in the storage mount. Selinux is set to permissive mode on RHS cluster and set to enforcing mode on the hypervisor which is a RHEL 6.3 machine.

Version-Release number of selected component (if applicable):
RHEL 6.3 on hypervisor
RHS2.0 on glusterfs servers with glusterfs-3.3.0rhsvirt1-2.el6_2.x86_64
rhevm-webadmin-portal-3.1.0-15.el6ev.noarch

How reproducible: Consistently

Steps to Reproduce:
1. Install ISO on VM from RHEVM
2.
3.

Actual results:

Installing from ISO on VM fails.

Expected results:

Should set the right selinux context and succeed.

Additional info:

Setting selinux to permissive mode on hypervisor fixes the issue.

sealert output:

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from read access on the file a4926e06-3921-4413-a74a-81ba527af74a.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed read access on the a4926e06-3921-4413-a74a-81ba527af74a file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the filesystem /rhev/data-center/mnt/guido.lab.eng.blr.redhat.com:_iso1.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed getattr access on the guido.lab.eng.blr.redhat.com:_iso1 filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /rhev/data-center/mnt/rhs-gp-srv11.lab.eng.blr.redhat.com:_distribute-replicate-2x2/62bebb34-33c1-4329-9b69-e88dda3dc482/images/42256c4d-bd84-4a69-b4f8-87350114c140/a4926e06-3921-4413-a74a-81ba527af74a.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed getattr access on the a4926e06-3921-4413-a74a-81ba527af74a file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the file a4926e06-3921-4413-a74a-81ba527af74a.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed read write access on the a4926e06-3921-4413-a74a-81ba527af74a file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the filesystem /rhev/data-center/mnt/guido.lab.eng.blr.redhat.com:_iso1.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed getattr access on the guido.lab.eng.blr.redhat.com:_iso1 filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the file /rhev/data-center/mnt/rhs-gp-srv11.lab.eng.blr.redhat.com:_distribute-replicate-2x2/62bebb34-33c1-4329-9b69-e88dda3dc482/images/42256c4d-bd84-4a69-b4f8-87350114c140/a4926e06-3921-4413-a74a-81ba527af74a.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed getattr access on the a4926e06-3921-4413-a74a-81ba527af74a file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the file a4926e06-3921-4413-a74a-81ba527af74a.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed read write access on the a4926e06-3921-4413-a74a-81ba527af74a file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/qemu-kvm from read access on the file a4926e06-3921-4413-a74a-81ba527af74a.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that qemu-kvm should be allowed read access on the a4926e06-3921-4413-a74a-81ba527af74a file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 6 Miroslav Grepl 2012-10-09 12:36:24 UTC


*** This bug has been marked as a duplicate of bug 835936 ***