Bug 1026706 - Application-consistent online backup (qemu-ga freeze/thaw hooks for linux guests)
Application-consistent online backup (qemu-ga freeze/thaw hooks for linux gue...
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-05 04:41 EST by Sibiao Luo
Modified: 2013-11-05 05:11 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-05 05:11:39 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sibiao Luo 2013-11-05 04:41:37 EST
Description of problem:
when we do bug-reverification for bug 911569 that it fail in the latest qemu-kvm & selinux.

Version-Release number of selected component (if applicable):
host info:
2.6.32-429.el6.x86_64
qemu-kvm-0.12.1.2-2.415.el6.x86_64
guest info:
qemu-guest-agent-0.12.1.2-2.415.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Start guest with virtio serial.
e.g:# /usr/libexec/qemu-kvm -S -M rhel6.5.0 ... -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0
2.install qemu-guest agent package in guest.
3.set FSFREEZE_HOOK_ENABLE=1 for /etc/sysconfig/qemu-ga in guest.
4.added a simple user script in guest.
# cat /usr/libexec/qemu-ga/fsfreeze-hook.d/sample.sh
#!/bin/bash
echo "$0:" "$@"
5.# chmod 777 usr/libexec/qemu-ga/fsfreeze-hook.d/sample.sh
6.Reboot guest to make the configuration effect.
7.Start guest agent with fsfreeze hook enabled inside guest.
# qemu-ga -F on
8.Connect the chardev socket in host side for sending commands to guest.
# nc -U /tmp/qga.sock readline
{"execute":"guest-fsfreeze-freeze" }
{"execute":"guest-fsfreeze-thaw"}

Actual results:
no matter selinux is Enforcing or Permissive, the "guest-fsfreeze-freeze" can run correctly.
# nc -U /tmp/qga.sock readline
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}

Expected results:
after step 8, test it with SELINUX = Enforcing|Permissive status.
- I.SELINUX = Enforcing:
# getenforce 
Enforcing
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}
{"execute":"guest-fsfreeze-freeze" }
{"error": {"class": "GenericError", "desc": "can't access fsfreeze hook '/usr/libexec/qemu-ga/fsfreeze-hook': Permission denied", "data": {"message": "can't access fsfreeze hook '/usr/libexec/qemu-ga/fsfreeze-hook': Permission denied"}}}
- II.SELINUX = Permissive
# setenforce 0
# getenforce 
Permissive
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}
{"execute":"guest-fsfreeze-freeze" }
{"return": 2}
{"execute":"guest-fsfreeze-status"}
{"return": "frozen"}
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}

Additional info:
Comment 1 Sibiao Luo 2013-11-05 04:49:28 EST
We did bug verified in bug 911569#c17 with qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.x86_64&selinux-policy-3.7.19-200.el6.noarch.
but when i donwload to qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.x86_64&selinux-policy-3.7.19-207.el6.noarch still hit this issue, so this is selinux-policy regression bug.
Comment 2 Sibiao Luo 2013-11-05 05:11:39 EST
(In reply to Sibiao Luo from comment #1)
> We did bug verified in bug 911569#c17 with
> qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.
> x86_64&selinux-policy-3.7.19-200.el6.noarch.
> but when i donwload to
> qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.
> x86_64&selinux-policy-3.7.19-207.el6.noarch still hit this issue, so this is
> selinux-policy regression bug.

Just talked with lersek in IRC that in build 201 mgrepl implemented changes that prevent you from reproducing the bug. in order to reproduce the bug, use 200 or earlier and to verify the fix, use 218 or later. 
So i close this bug to WORKSFORME and will do re-verify the bug 911569 with selinux-218.

Best Regards,
sluo

Note You need to log in before you can comment on or make changes to this bug.