Bug 990509

Summary: Current selinux policy prevents running a VM with volumes under /var/run/vdsm/storage
Product: [Fedora] Fedora Reporter: Eduardo Warszawski <ewarszaw>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: amuller, asegurap, danken, dominick.grift, dwalsh, ebenahar, ewarszaw, iheim, lpeer, mgrepl, mmalik, myakove, sbonazzo, wudxw
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-71.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 977856
: 998663 1005950 (view as bug list) Environment:
Last Closed: 2013-08-22 00:52:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 998663, 1004670, 1005950    
Attachments:
Description Flags
audit logs + vdsm log none

Description Eduardo Warszawski 2013-07-31 10:40:42 UTC 
Description of problem:
We would like to run VMs based on volumes placed under vdsm's own /var/run/vdsm directory, currently in parallel to the current trade-mark breaching /rhev/data-center location.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.12.noarch

How reproducible: 100%
Comment 1 Daniel Walsh 2013-07-31 12:24:06 UTC 
What avcs are you getting?
Comment 2 Dan Kenigsberg 2013-08-01 08:00:15 UTC 
I've removed this bug from the ovirt-3.3 tracker since it is strictly required for the "hosted engine" feature that is not part of 3.3.
Comment 3 Eduardo Warszawski 2013-08-07 15:00:50 UTC 
(In reply to Daniel Walsh from comment #1)
> What avcs are you getting?

Elad, from, QE will sent you the logs.

The error is a permission error and with making setenforce permissive the VM can start.
Comment 4 Elad 2013-08-07 15:17:46 UTC 
Created attachment 783972 [details]
audit logs + vdsm log

logs attached
Comment 5 Daniel Walsh 2013-08-07 17:51:35 UTC 
bc9f14a7929ce854f607473cffebee5c67842616 fixes the ability for svirt_t to read symlinks in /var/run
Comment 6 Miroslav Grepl 2013-08-08 12:13:29 UTC 
Back ported.
Comment 7 Elad 2013-08-11 14:36:57 UTC 
(In reply to Daniel Walsh from comment #5)
> bc9f14a7929ce854f607473cffebee5c67842616 fixes the ability for svirt_t to
> read symlinks in /var/run

On what official version can I check it?
Comment 9 Miroslav Grepl 2013-08-19 15:33:58 UTC 
It has been fixed in -70.fc19. You can test it using

http://koji.fedoraproject.org/koji/buildinfo?buildID=455209

build for now until a new update.
Comment 10 Sandro Bonazzola 2013-08-20 06:44:45 UTC 
(In reply to Miroslav Grepl from comment #9)
> It has been fixed in -70.fc19. You can test it using
> 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=455209
> 
> build for now until a new update.

Can you push it also on fc18?
Comment 11 Fedora Update System 2013-08-20 08:25:32 UTC 
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 12 Fedora Update System 2013-08-21 00:14:42 UTC 
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-08-22 00:52:17 UTC 
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.