Bug 1003729 - [virt-login-shell] cannot open user home directory: Permission denied
[virt-login-shell] cannot open user home directory: Permission denied
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Libvirt Maintainers
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-02 23:45 EDT by Alex Jia
Modified: 2013-09-05 11:36 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-05 11:36:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Jia 2013-09-02 23:45:17 EDT
Description of problem:
Can't access user home directory via virt-login-shell and will get a "Permission denied" error, a normal user should have permission to access its home directory.

Version-Release number of selected component (if applicable):
libvirt-client-1.1.1-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:

1. creating a 'sandbox' user account.

# useradd sandbox
# passwd sandbox

2. editing /etc/libvirt/virt-login-shell.conf as follows:

# tail -2 /etc/libvirt/virt-login-shell.conf
allowed_users = ["sandbox"]
shell = [ "/bin/ls", "-l", "/home/sandbox"]

3. start a 'sandbox' container

# virt-sandbox -c lxc:/// /bin/sh

4. switch to 'sandbox' account and run 'virt-login-shell'

# su sandbox
$ virt-login-shell

Actual results:

$ virt-login-shell
/bin/ls: cannot open directory /home/sandbox: Permission denied


Expected results:

the 'virt-login-shell' should allow user to access its home directory.


Additional info:

[sandbox@localhost ~]$ pwd
/home/sandbox

[sandbox@localhost ~]$ id
uid=1004(sandbox) gid=1004(sandbox) groups=1004(sandbox) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[sandbox@localhost ~]$ touch hello
[sandbox@localhost ~]$ ls
hello
Comment 2 Daniel Walsh 2013-09-04 09:56:02 EDT
In order to make this work you would have to label /home/sandbox correctly with virt_lxc_file_t and the correct MCS Label.

When you are in the sandbox you will be running something like

svirt_lxc_net_t:s0:c2,c3  And you are only able to read/wite svirt_lxc_file_t:s0:c2,c3

Openshift sets this up automatically.

They setup static labeling.
Comment 3 Alex Jia 2013-09-04 20:58:50 EDT
(In reply to Daniel Walsh from comment #2)
> In order to make this work you would have to label /home/sandbox correctly
> with virt_lxc_file_t and the correct MCS Label.
> 
> When you are in the sandbox you will be running something like
> 
> svirt_lxc_net_t:s0:c2,c3  And you are only able to read/wite
> svirt_lxc_file_t:s0:c2,c3
> 
> Openshift sets this up automatically.
> 
> They setup static labeling.

Daniel, I think it should have a document to describe this at least in the future, in addition, I also check auditd.log with selinux 'Enforcing' mode and haven't found any AVC denied error, so it indeed is hard to debug this for me, is this a selinux's issue? thanks.
Comment 4 Alex Jia 2013-09-05 01:41:25 EDT
Daniel, whether the default selinux label "svirt_lxc_net_t" can be automatically assigned when we create a sandbox(libvirt-sandbox) account? I guess the openshit will do these by itself, if I'm not a openshit user then it means I must manually change my home directory selinux label by myself.
Comment 5 Daniel Walsh 2013-09-05 09:37:28 EDT
Yes when using libvirt-sandbox you need to setup labels yourself for any content you want to be able to write within the sandbox.  When using virt-sandbox-service, it is doing this for you.
Comment 6 Daniel Walsh 2013-09-05 09:38:45 EDT
We have a version of virt-sandbox -s inherit which is in the upstream which will run the sandbox with the users context rather then svirt_lxc_net_t.  When this comes out you could run containers as unconfined_t and then the login should work fine.
Comment 7 Alex Jia 2013-09-05 10:16:45 EDT
(In reply to Daniel Walsh from comment #6)
> We have a version of virt-sandbox -s inherit which is in the upstream which
> will run the sandbox with the users context rather then svirt_lxc_net_t. 
> When this comes out you could run containers as unconfined_t and then the
> login should work fine.

Thanks, I'm looking forword to test this new feature, if everything is okay, I will close the bug as WORKSFORME.

Note You need to log in before you can comment on or make changes to this bug.