Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1026706

Summary: Application-consistent online backup (qemu-ga freeze/thaw hooks for linux guests)
Product: Red Hat Enterprise Linux 6 Reporter: Sibiao Luo <sluo>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WORKSFORME QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: chayang, dwalsh, juzhang, lersek, michen, qzhang, xfu
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-05 10:11:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sibiao Luo 2013-11-05 09:41:37 UTC 
Description of problem:
when we do bug-reverification for bug 911569 that it fail in the latest qemu-kvm & selinux.

Version-Release number of selected component (if applicable):
host info:
2.6.32-429.el6.x86_64
qemu-kvm-0.12.1.2-2.415.el6.x86_64
guest info:
qemu-guest-agent-0.12.1.2-2.415.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Start guest with virtio serial.
e.g:# /usr/libexec/qemu-kvm -S -M rhel6.5.0 ... -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0
2.install qemu-guest agent package in guest.
3.set FSFREEZE_HOOK_ENABLE=1 for /etc/sysconfig/qemu-ga in guest.
4.added a simple user script in guest.
# cat /usr/libexec/qemu-ga/fsfreeze-hook.d/sample.sh
#!/bin/bash
echo "$0:" "$@"
5.# chmod 777 usr/libexec/qemu-ga/fsfreeze-hook.d/sample.sh
6.Reboot guest to make the configuration effect.
7.Start guest agent with fsfreeze hook enabled inside guest.
# qemu-ga -F on
8.Connect the chardev socket in host side for sending commands to guest.
# nc -U /tmp/qga.sock readline
{"execute":"guest-fsfreeze-freeze" }
{"execute":"guest-fsfreeze-thaw"}

Actual results:
no matter selinux is Enforcing or Permissive, the "guest-fsfreeze-freeze" can run correctly.
# nc -U /tmp/qga.sock readline
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}

Expected results:
after step 8, test it with SELINUX = Enforcing|Permissive status.
- I.SELINUX = Enforcing:
# getenforce 
Enforcing
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}
{"execute":"guest-fsfreeze-freeze" }
{"error": {"class": "GenericError", "desc": "can't access fsfreeze hook '/usr/libexec/qemu-ga/fsfreeze-hook': Permission denied", "data": {"message": "can't access fsfreeze hook '/usr/libexec/qemu-ga/fsfreeze-hook': Permission denied"}}}
- II.SELINUX = Permissive
# setenforce 0
# getenforce 
Permissive
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}
{"execute":"guest-fsfreeze-freeze" }
{"return": 2}
{"execute":"guest-fsfreeze-status"}
{"return": "frozen"}
{"execute":"guest-fsfreeze-thaw"}
{"return": 2}
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}

Additional info:
Comment 1 Sibiao Luo 2013-11-05 09:49:28 UTC 
We did bug verified in bug 911569#c17 with qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.x86_64&selinux-policy-3.7.19-200.el6.noarch.
but when i donwload to qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.x86_64&selinux-policy-3.7.19-207.el6.noarch still hit this issue, so this is selinux-policy regression bug.
Comment 2 Sibiao Luo 2013-11-05 10:11:39 UTC 
(In reply to Sibiao Luo from comment #1)
> We did bug verified in bug 911569#c17 with
> qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.
> x86_64&selinux-policy-3.7.19-200.el6.noarch.
> but when i donwload to
> qemu-kvm-0.12.1.2-2.370.el6.x86_64&qemu-guest-agent-0.12.1.2-2.370.el6.
> x86_64&selinux-policy-3.7.19-207.el6.noarch still hit this issue, so this is
> selinux-policy regression bug.

Just talked with lersek in IRC that in build 201 mgrepl implemented changes that prevent you from reproducing the bug. in order to reproduce the bug, use 200 or earlier and to verify the fix, use 218 or later. 
So i close this bug to WORKSFORME and will do re-verify the bug 911569 with selinux-218.

Best Regards,
sluo