Bug 1123894 - AVC deny messages: VirtualDomain resource agent will not start domain in enforcing [NEEDINFO]
Summary: AVC deny messages: VirtualDomain resource agent will not start domain in enfo...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-28 14:55 UTC by michal novacek
Modified: 2015-02-25 12:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-25 12:47:02 UTC
mgrepl: needinfo? (mnovacek)


Attachments (Terms of Use)
full 'ausearch -m avc' command output (345.51 KB, text/plain)
2014-07-28 14:55 UTC, michal novacek
no flags Details

Description michal novacek 2014-07-28 14:55:35 UTC
Created attachment 921778 [details]
full 'ausearch -m avc' command output

Description of problem:
AVC denials preventing virtual machine resource in pacemaker to start.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-246.el6.noarch
resource-agents-3.9.5-11.el6.x86_64

How reproducible: always

Steps to Reproduce:
1. have virtual machine installed
2. add it as a resource to the cluster
3. set selinux enforcing mode
4. 'pcs resources enable' the virtual machine resource
5. set selinux to permissive mode
6. see the machine not starting

Additional info:

# pcs resource show R-duck-01-node01-qemu
 Resource: R-duck-01-node01-qemu (class=ocf provider=heartbeat type=VirtualDomain)
  Attributes: hypervisor=qemu:///system config=/var/lib/libvirt/qemu/duck-01-node01.xml 
  Operations: start interval=0s timeout=90 (R-duck-01-node01-qemu-start-timeout-90)
              stop interval=0s timeout=90 (R-duck-01-node01-qemu-stop-timeout-90)
              monitor interval=10 timeout=30 (R-duck-01-node01-qemu-monitor-interval-10)

# aureport -a 
...
548. 07/28/2014 16:09:24 prelink unconfined_u:system_r:prelink_mask_t:s0 188 file relabelto system_u:object_r:lib_t:s0 denied 976
549. 07/28/2014 16:09:24 prelink unconfined_u:system_r:prelink_mask_t:s0 87 file unlink system_u:object_r:lib_t:s0 denied 977
550. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file read unconfined_u:object_r:qemu_var_run_t:s0 denied 978
551. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file open unconfined_u:object_r:qemu_var_run_t:s0 denied 978
552. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 59 chr_file read write system_u:object_r:tun_tap_device_t:s0 denied 1001
553. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 59 chr_file read write system_u:object_r:vhost_device_t:s0 denied 1001
554. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 188 file relabelto system_u:object_r:lib_t:s0 denied 1002
555. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 87 file unlink system_u:object_r:lib_t:s0 denied 1003
556. 07/28/2014 16:09:25 prelink unconfined_u:system_r:prelink_t:s0 93 fifo_file setattr unconfined_u:system_r:cluster_t:s0 denied 1012
557. 07/28/2014 16:09:36 prelink unconfined_u:system_r:prelink_mask_t:s0 87 file unlink system_u:object_r:lib_t:s0 denied 1014
558. 07/28/2014 16:09:36 prelink unconfined_u:system_r:prelink_mask_t:s0 188 file relabelto system_u:object_r:lib_t:s0 denied 1013

Comment 2 Milos Malik 2014-07-28 15:09:03 UTC
The prelink issues are already filed as BZ#1103674. What I'm interested in are following AVCs. Unfortunately, they are not present in the attachment.

550. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file read unconfined_u:object_r:qemu_var_run_t:s0 denied 978
551. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file open unconfined_u:object_r:qemu_var_run_t:s0 denied 978

Comment 3 michal novacek 2014-07-28 15:17:49 UTC
I'm sorry -- I misspelled hour when creating the aureport. Those denials are the the following. It seems that config files cannot be read by resource-agent.

time->Mon Jul 28 16:09:24 2014
type=SYSCALL msg=audit(1406556564.804:978): arch=c000003e syscall=2 success=yes exit=9 a0=2083570 a1=0 a2=7fffcf8f80f0 a3=6576696c41734974 items=0 ppid=14228 pid=14229 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="virsh" exe="/usr/bin/virsh" subj=unconfined_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1406556564.804:978): avc:  denied  { open } for  pid=14229 comm="virsh" name="duck-01-node01.xml" dev=dm-0 ino=1181743 scontext=unconfined_u:system_r:xm_t:s0 tcontext=unconfined_u:object_r:qemu_var_run_t:s0 tclass=file
type=AVC msg=audit(1406556564.804:978): avc:  denied  { read } for  pid=14229 comm="virsh" name="duck-01-node01.xml" dev=dm-0 ino=1181743 scontext=unconfined_u:system_r:xm_t:s0 tcontext=unconfined_u:object_r:qemu_var_run_t:s0 tclass=file

Comment 4 Miroslav Grepl 2014-07-30 10:48:31 UTC
 Where is duck-01-node01.xml located?

Comment 5 Milos Malik 2014-08-04 13:36:18 UTC
One of our automated TCs produces following AVC in enforcing mode:
----
time->Fri Aug  1 16:09:06 2014
type=SYSCALL msg=audit(1406923746.659:1770): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=1 items=0 ppid=21422 pid=21427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=unconfined_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1406923746.659:1770): avc:  denied  { create } for  pid=21427 comm="virsh" scontext=unconfined_u:system_r:xm_t:s0 tcontext=unconfined_u:system_r:xm_t:s0 tclass=unix_dgram_socket
----

Comment 6 michal novacek 2014-08-05 11:37:11 UTC
(In reply to Miroslav Grepl from comment #4)
>  Where is duck-01-node01.xml located?

It is located on the place I chose which is /root/virsh-xml/qemu. I previously believed that good location would be /var/lib/libvirt/xml (which I still do) but 
it has been suggested in bz1083125 to keep those configs elsewhere.

The question now might be where is the proper place to store the xml files of the virtual machines so they get proper selinux context?

Comment 7 Daniel Walsh 2014-08-05 13:27:31 UTC
Configuration in /etc should be ok.

Comment 8 michal novacek 2014-08-06 13:43:46 UTC
Would /etc/libvirt/xml/ work to store virtual machine xml files?

Comment 9 Daniel Walsh 2014-08-06 14:41:14 UTC
I would think so.

Comment 10 Miroslav Grepl 2014-09-01 09:42:20 UTC
If you change the location, does it work then?


Note You need to log in before you can comment on or make changes to this bug.