Hide Forgot
Description of problem: When using vdsm service and running '/usr/bin/virt-alignment-scan' on a vdsm image we get Permission denied when in enforcing mode (it succeeds scan when in permissive mode). Running '/usr/bin/virt-alignment-scan' as user vdsm from shell will succeed, it only fails when running through the service (using the verb 'getDiskAlignment' from vdsClient or engine). from shell as vdsm user: /usr/bin/virt-alignment-scan --add /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285 /dev/sda1 1048576 1024K ok /dev/sda2 525336576 1024K ok using vdsm service (vdsClient): vdsClient -s 0 getDiskAlignment 0 446ba2b8-d44e-49b4-87eb-931b18d9d667 4139da9d-cbe9-4590-b939-3a4bbf3966f8 f2e89d67-79ac-4284-b6d5-a90fef9a431b 4824aa4a-af29-4ca2-ac2d-187fcf2fd285 When using verbosity option for virt-alignment-scan we see in the logs: 'could not open disk image /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285: Permission denied' and: 'libguestfs: error: guestfs_launch failed, see earlier error messages' Version-Release number of selected component (if applicable): Red Hat Enterprise Linux Server release 6.4 (Santiago) selinux-policy-targeted-3.7.19-195.el6_4.12.noarch libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 selinux-policy-3.7.19-195.el6_4.12.noarch libselinux-python-2.0.94-5.3.el6_4.1.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 vdsm-4.12.0-34.gitbf23a9e.el6_4.x86_64 libguestfs-tools-1.16.34-2.el6.x86_64 python-libguestfs-1.16.34-2.el6.x86_64 libguestfs-1.16.34-2.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install vdsm, libguestfs 2. setenforce 1 3. run vdsClient -s 0 getDiskAlignment [<vmId> <poolId> <domId> <imgId> <volId>] Actual results: Fail to get Image alignment from libguestfs with Permission denied. Expected results: libguestfs should succeed scan and return alignment True/False for each partition on the disk image. from vdsm log: Thread-24::DEBUG::2013-09-01 12:09:02,002::alignmentScan::43::Storage.Misc.excCmd::(runScanArgs) '/usr/bin/virt-alignment-scan --add /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285 -v' (cwd None) Thread-24::DEBUG::2013-09-01 12:09:02,146::alignmentScan::43::Storage.Misc.excCmd::(runScanArgs) FAILED: <err> = "libguestfs: [00000ms] febootstrap-supermin-helper --verbose -f checksum '/usr/lib64/guestfs/supermin.d' x86_64\nsupermin helper [00000ms] whitelist = (not specified), host_cpu = x86_64, kernel = (null), initrd = (null), appliance = (null)\nsupermin helper [00000ms] inputs[0] = /usr/lib64/guestfs/supermin.d\nchecking modpath /lib/modules/2.6.32-358.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-358.el6.x86_64 because modpath /lib/modules/2.6.32-358.el6.x86_64 exists\nchecking modpath /lib/modules/2.6.32-279.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-279.el6.x86_64 because modpath /lib/modules/2.6.32-279.el6.x86_64 exists\nchecking modpath /lib/modules/2.6.32-358.14.1.el6.x86_64 is a directory\npicked vmlinuz-2.6.32-358.14.1.el6.x86_64 because modpath /lib/modules/2.6.32-358.14.1.el6.x86_64 exists\nsupermin helper [00000ms] finished creating kernel\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/base.img\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/daemon.img\nsupermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/hostfiles\nsupermin helper [00024ms] visiting /usr/lib64/guestfs/supermin.d/init.img\nsupermin helper [00024ms] adding kernel modules\nsupermin helper [00039ms] finished creating appliance\nlibguestfs: [00041ms] begin testing qemu features\nlibguestfs: [00052ms] finished testing qemu features\nlibguestfs: accept_from_daemon: 0x13378f0 g->state = 1\n[00052ms] /usr/libexec/qemu-kvm \\\n -global virtio-blk-pci.scsi=off \\\n -nodefconfig \\\n -nodefaults \\\n -nographic \\\n -drive file=/rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285,snapshot=on,if=virtio \\\n -nodefconfig \\\n -machine accel=kvm:tcg \\\n -m 500 \\\n -no-reboot \\\n -device virtio-serial \\\n -serial stdio \\\n -device sga \\\n -chardev socket,path=/tmp/libguestfsRpL8Tf/guestfsd.sock,id=channel0 \\\n -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \\\n -kernel /var/tmp/.guestfs-36/kernel.24694 \\\n -initrd /var/tmp/.guestfs-36/initrd.24694 \\\n -append 'panic=1 console=ttyS0 udevtimeout=300 no_timer_check acpi=off printk.time=1 cgroup_disable=memory selinux=0 guestfs_verbose=1 TERM=xterm ' \\\n -drive file=/var/tmp/.guestfs-36/root.24694,snapshot=on,if=virtio,cache=unsafeqemu-kvm: -drive file=/rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285,snapshot=on,if=virtio: could not open disk image /rhev/data-center/446ba2b8-d44e-49b4-87eb-931b18d9d667/4139da9d-cbe9-4590-b939-3a4bbf3966f8/images/f2e89d67-79ac-4284-b6d5-a90fef9a431b/4824aa4a-af29-4ca2-ac2d-187fcf2fd285: Permission denied\nlibguestfs: child_cleanup: 0x13378f0: child process died\nlibguestfs: error: guestfs_launch failed, see earlier error messages\nlibguestfs: closing guestfs handle 0x13378f0 (state 0)\n"; <rc> = 1
What AVC msgs are you getting?
Miroslav, here are the AVC msgs: type=AVC msg=audit(1378847535.412:14242): avc: denied { read } for pid=27416 comm="qemu-kvm" name="dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext= system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1378847535.412:14242): arch=c000003e syscall=2 success=no exit=-13 a0=7f97ea5e3970 a1=800 a2=0 a3=0 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid=36 suid=36 fsuid=36 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1378847535.413:14243): avc: denied { getattr } for pid=27416 comm="qemu-kvm" path="/dev/dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 t context=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1378847535.413:14243): arch=c000003e syscall=4 success=no exit=-13 a0=7f97ea5e3970 a1=7fffd9822fb0 a2=7fffd9822fb0 a3=0 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid =36 suid=36 fsuid=36 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1378847535.413:14244): avc: denied { read } for pid=27416 comm="qemu-kvm" name="dm-80" dev=devtmpfs ino=18394320 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext= system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1378847535.413:14244): arch=c000003e syscall=2 success=no exit=-13 a0=7f97ea5e3970 a1=81000 a2=0 a3=40 items=0 ppid=27228 pid=27416 auid=0 uid=36 gid=36 euid=36 suid=36 fsuid =36 egid=36 sgid=36 fsgid=36 tty=(none) ses=1461 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null) Let me know if you need anything else. Thanks, Yeela
The problem is we have a transition from initrc_t to qemu_t when running a qemu_exec_t. Which we should eliminate.
*** This bug has been marked as a duplicate of bug 1006952 ***