Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1123894

Summary: AVC deny messages: VirtualDomain resource agent will not start domain in enforcing
Product: Red Hat Enterprise Linux 6 Reporter: michal novacek <mnovacek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: dwalsh, mmalik, mnovacek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-25 12:47:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
full 'ausearch -m avc' command output none

Description michal novacek 2014-07-28 14:55:35 UTC 
Created attachment 921778 [details]
full 'ausearch -m avc' command output

Description of problem:
AVC denials preventing virtual machine resource in pacemaker to start.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-246.el6.noarch
resource-agents-3.9.5-11.el6.x86_64

How reproducible: always

Steps to Reproduce:
1. have virtual machine installed
2. add it as a resource to the cluster
3. set selinux enforcing mode
4. 'pcs resources enable' the virtual machine resource
5. set selinux to permissive mode
6. see the machine not starting

Additional info:

# pcs resource show R-duck-01-node01-qemu
 Resource: R-duck-01-node01-qemu (class=ocf provider=heartbeat type=VirtualDomain)
  Attributes: hypervisor=qemu:///system config=/var/lib/libvirt/qemu/duck-01-node01.xml 
  Operations: start interval=0s timeout=90 (R-duck-01-node01-qemu-start-timeout-90)
              stop interval=0s timeout=90 (R-duck-01-node01-qemu-stop-timeout-90)
              monitor interval=10 timeout=30 (R-duck-01-node01-qemu-monitor-interval-10)

# aureport -a 
...
548. 07/28/2014 16:09:24 prelink unconfined_u:system_r:prelink_mask_t:s0 188 file relabelto system_u:object_r:lib_t:s0 denied 976
549. 07/28/2014 16:09:24 prelink unconfined_u:system_r:prelink_mask_t:s0 87 file unlink system_u:object_r:lib_t:s0 denied 977
550. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file read unconfined_u:object_r:qemu_var_run_t:s0 denied 978
551. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file open unconfined_u:object_r:qemu_var_run_t:s0 denied 978
552. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 59 chr_file read write system_u:object_r:tun_tap_device_t:s0 denied 1001
553. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 59 chr_file read write system_u:object_r:vhost_device_t:s0 denied 1001
554. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 188 file relabelto system_u:object_r:lib_t:s0 denied 1002
555. 07/28/2014 16:09:25 prelink system_u:system_r:prelink_mask_t:s0:c614,c790 87 file unlink system_u:object_r:lib_t:s0 denied 1003
556. 07/28/2014 16:09:25 prelink unconfined_u:system_r:prelink_t:s0 93 fifo_file setattr unconfined_u:system_r:cluster_t:s0 denied 1012
557. 07/28/2014 16:09:36 prelink unconfined_u:system_r:prelink_mask_t:s0 87 file unlink system_u:object_r:lib_t:s0 denied 1014
558. 07/28/2014 16:09:36 prelink unconfined_u:system_r:prelink_mask_t:s0 188 file relabelto system_u:object_r:lib_t:s0 denied 1013
Comment 2 Milos Malik 2014-07-28 15:09:03 UTC 
The prelink issues are already filed as BZ#1103674. What I'm interested in are following AVCs. Unfortunately, they are not present in the attachment.

550. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file read unconfined_u:object_r:qemu_var_run_t:s0 denied 978
551. 07/28/2014 16:09:24 virsh unconfined_u:system_r:xm_t:s0 2 file open unconfined_u:object_r:qemu_var_run_t:s0 denied 978
Comment 3 michal novacek 2014-07-28 15:17:49 UTC 
I'm sorry -- I misspelled hour when creating the aureport. Those denials are the the following. It seems that config files cannot be read by resource-agent.

time->Mon Jul 28 16:09:24 2014
type=SYSCALL msg=audit(1406556564.804:978): arch=c000003e syscall=2 success=yes exit=9 a0=2083570 a1=0 a2=7fffcf8f80f0 a3=6576696c41734974 items=0 ppid=14228 pid=14229 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="virsh" exe="/usr/bin/virsh" subj=unconfined_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1406556564.804:978): avc:  denied  { open } for  pid=14229 comm="virsh" name="duck-01-node01.xml" dev=dm-0 ino=1181743 scontext=unconfined_u:system_r:xm_t:s0 tcontext=unconfined_u:object_r:qemu_var_run_t:s0 tclass=file
type=AVC msg=audit(1406556564.804:978): avc:  denied  { read } for  pid=14229 comm="virsh" name="duck-01-node01.xml" dev=dm-0 ino=1181743 scontext=unconfined_u:system_r:xm_t:s0 tcontext=unconfined_u:object_r:qemu_var_run_t:s0 tclass=file
Comment 4 Miroslav Grepl 2014-07-30 10:48:31 UTC 
 Where is duck-01-node01.xml located?
Comment 5 Milos Malik 2014-08-04 13:36:18 UTC 
One of our automated TCs produces following AVC in enforcing mode:
----
time->Fri Aug  1 16:09:06 2014
type=SYSCALL msg=audit(1406923746.659:1770): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=1 items=0 ppid=21422 pid=21427 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=unconfined_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1406923746.659:1770): avc:  denied  { create } for  pid=21427 comm="virsh" scontext=unconfined_u:system_r:xm_t:s0 tcontext=unconfined_u:system_r:xm_t:s0 tclass=unix_dgram_socket
----
Comment 6 michal novacek 2014-08-05 11:37:11 UTC 
(In reply to Miroslav Grepl from comment #4)
>  Where is duck-01-node01.xml located?

It is located on the place I chose which is /root/virsh-xml/qemu. I previously believed that good location would be /var/lib/libvirt/xml (which I still do) but 
it has been suggested in bz1083125 to keep those configs elsewhere.

The question now might be where is the proper place to store the xml files of the virtual machines so they get proper selinux context?
Comment 7 Daniel Walsh 2014-08-05 13:27:31 UTC 
Configuration in /etc should be ok.
Comment 8 michal novacek 2014-08-06 13:43:46 UTC 
Would /etc/libvirt/xml/ work to store virtual machine xml files?
Comment 9 Daniel Walsh 2014-08-06 14:41:14 UTC 
I would think so.
Comment 10 Miroslav Grepl 2014-09-01 09:42:20 UTC 
If you change the location, does it work then?
Comment 12 Red Hat Bugzilla 2023-09-14 02:12:11 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days