Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1003244

Summary: Permission denied when running virt-alignment-scan using vdsm service on a vdsm image
Product: Red Hat Enterprise Linux 6 Reporter: Yeela Kaplan <ykaplan>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, mmalik, oourfali, sgotliv, ykaplan
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Red Hat Enterprise Linux Server release 6.4 (Santiago) selinux-policy-targeted-3.7.19-195.el6_4.12.noarch libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 selinux-policy-3.7.19-195.el6_4.12.noarch libselinux-python-2.0.94-5.3.el6_4.1.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 vdsm-4.12.0-34.gitbf23a9e.el6_4.x86_64 libguestfs-tools-1.16.34-2.el6.x86_64 python-libguestfs-1.16.34-2.el6.x86_64 libguestfs-1.16.34-2.el6.x86_64
Last Closed: 2013-09-13 14:24:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yeela Kaplan 2013-09-01 09:16:04 UTC 
Description of problem:

When using vdsm service and running '/usr/bin/virt-alignment-scan' on a vdsm image we get Permission denied when in enforcing mode (it succeeds scan when in permissive mode).

Running '/usr/bin/virt-alignment-scan' as user vdsm from shell will succeed, it only fails when running through the service (using the verb 'getDiskAlignment' from vdsClient or engine).

from shell as vdsm user:

/usr/bin/virt-alignment-scan --add /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285
/dev/sda1      1048576         1024K   ok
/dev/sda2    525336576         1024K   ok

using vdsm service (vdsClient):
vdsClient -s 0 getDiskAlignment 0 446ba2b8-d44e-49b4-87eb-931b18d9d667 4139da9d-cbe9-4590-b939-3a4bbf3966f8 f2e89d67-79ac-4284-b6d5-a90fef9a431b 4824aa4a-af29-4ca2-ac2d-187fcf2fd285

When using verbosity option for virt-alignment-scan we see in the logs:
'could not open disk image /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285: Permission denied'
and:
'libguestfs: error: guestfs_launch failed, see earlier error messages'

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 6.4 (Santiago)

selinux-policy-targeted-3.7.19-195.el6_4.12.noarch
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-195.el6_4.12.noarch
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64

vdsm-4.12.0-34.gitbf23a9e.el6_4.x86_64

libguestfs-tools-1.16.34-2.el6.x86_64
python-libguestfs-1.16.34-2.el6.x86_64
libguestfs-1.16.34-2.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install vdsm, libguestfs
2. setenforce 1
3. run vdsClient -s 0 getDiskAlignment [<vmId> <poolId> <domId> <imgId> <volId>]

Actual results:

Fail to get Image alignment from libguestfs with Permission denied.

Expected results:

libguestfs should succeed scan and return alignment True/False for each partition on the disk image. 





from vdsm log:


Thread-24::DEBUG::2013-09-01 12:09:02,002::alignmentScan::43::Storage.Misc.excCmd::(runScanArgs) '/usr/bin/virt-alignment-scan --add /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285 -v' (cwd None)
Thread-24::DEBUG::2013-09-01 12:09:02,146::alignmentScan::43::Storage.Misc.excCmd::(runScanArgs) FAILED: <err> = "libguestfs: [00000ms] febootstrap-supermin-helper --verbose -f checksum '/usr/lib64/guestfs/supermin.d' x86_64\nsupermin helper [00000ms] whitelist = (not specified), host_cpu = x86_64, kernel = (null), initrd = (null), appliance = (null)\nsupermin helper [00000ms] inputs[0] = /usr/lib64/guestfs/supermin.d\nchecking modpath /lib/modules/2.6.32-358.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-358.el6.x86_64 because modpath /lib/modules/2.6.32-358.el6.x86_64 exists\nchecking modpath /lib/modules/2.6.32-279.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-279.el6.x86_64 because modpath /lib/modules/2.6.32-279.el6.x86_64 exists\nchecking modpath /lib/modules/2.6.32-358.14.1.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-358.14.1.el6.x86_64 because modpath /lib/modules/2.6.32-358.14.1.el6.x86_64 exists\nsupermin helper [00000ms] finished creating kernel\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/base.img\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/daemon.img\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/hostfiles\nsupermin helper [00024ms] visiting /usr/lib64/guestfs/supermin.d/init.img\nsupermin helper [00024ms] adding kernel modules\nsupermin helper [00039ms] finished creating appliance\nlibguestfs: [00041ms] begin testing qemu features\nlibguestfs: [00052ms] finished testing qemu features\nlibguestfs: accept_from_daemon: 0x13378f0 g->state = 1\n[00052ms] /usr/libexec/qemu-kvm \\\n    -global virtio-blk-pci.scsi=off \\\n    -nodefconfig \\\n    -nodefaults \\\n    -nographic \\\n    -drive file=/rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285,snapshot=on,if=virtio \\\n    -nodefconfig \\\n    -machine accel=kvm:tcg \\\n    -m 500 \\\n    -no-reboot \\\n    -device virtio-serial \\\n    -serial stdio \\\n    -device sga \\\n    -chardev socket,path=/tmp/libguestfsRpL8Tf/guestfsd.sock,id=channel0 \\\n    -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \\\n    -kernel /var/tmp/.guestfs-36/kernel.24694 \\\n    -initrd /var/tmp/.guestfs-36/initrd.24694 \\\n    -append 'panic=1 console=ttyS0 udevtimeout=300 no_timer_check acpi=off printk.time=1 cgroup_disable=memory selinux=0 guestfs_verbose=1 TERM=xterm ' \\\n    -drive file=/var/tmp/.guestfs-36/root.24694,snapshot=on,if=virtio,cache=unsafeqemu-kvm: -drive file=/rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285,snapshot=on,if=virtio: could not open disk image /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285: Permission denied\nlibguestfs: child_cleanup: 0x13378f0: child process died\nlibguestfs: error: guestfs_launch failed, see earlier error messages\nlibguestfs: closing guestfs handle 0x13378f0 (state 0)\n"; <rc> = 1
Comment 2 Miroslav Grepl 2013-09-02 12:07:26 UTC 
What AVC msgs are you getting?
Comment 3 Yeela Kaplan 2013-09-10 21:26:06 UTC 
Miroslav,
here are the AVC msgs:

type=AVC msg=audit(1378847535.412:14242): avc:  denied  { read } for  pid=27416 comm="qemu-kvm" name="dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=
system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1378847535.412:14242): arch=c000003e syscall=2 success=no exit=-13 a0=7f97ea5e3970 a1=800 a2=0 a3=0 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid=36 suid=36 fsuid=36
 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1378847535.413:14243): avc:  denied  { getattr } for  pid=27416 comm="qemu-kvm" path="/dev/dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 t
context=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1378847535.413:14243): arch=c000003e syscall=4 success=no exit=-13 a0=7f97ea5e3970 a1=7fffd9822fb0 a2=7fffd9822fb0 a3=0 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid
=36 suid=36 fsuid=36 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1378847535.413:14244): avc:  denied  { read } for  pid=27416 comm="qemu-kvm" name="dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=
system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=SYSCALL msg=audit(1378847535.413:14244): arch=c000003e syscall=2 success=no exit=-13 a0=7f97ea5e3970 a1=81000 a2=0 a3=40 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid=36 suid=36 fsuid
=36 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)



Let me know if you need anything else.
Thanks,
Yeela
Comment 4 Daniel Walsh 2013-09-11 17:43:34 UTC 
The problem is we have a transition from initrc_t to qemu_t when running a qemu_exec_t.  Which we should eliminate.
Comment 5 Miroslav Grepl 2013-09-13 14:24:08 UTC 

*** This bug has been marked as a duplicate of bug 1006952 ***