Bug 1168906 - Selinux is preventing sanlock from opening /var/run/vdsm/storage/...
Summary: Selinux is preventing sanlock from opening /var/run/vdsm/storage/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-28 11:46 UTC by Sandro Bonazzola
Modified: 2015-03-10 00:56 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.12.1-197.fc20
Clone Of:
Environment:
Last Closed: 2015-03-10 00:56:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Sandro Bonazzola 2014-11-28 11:46:58 UTC 
Description of problem:
while deploying oVirt Hosted Engine I got in sanlock.log:
2014-11-28 12:35:41+0100 12204 [1686]: open error -13 /var/run/vdsm/storage/b32ffb30-d717-4619-a291-027bd1bb4b0f/0f112190-9d99-4534-a14b-59d74d3b1991/d466c4dc-42b8-47a8-863d-94c6eb9febca

# ausearch -ts today -m avc
----
time->Fri Nov 28 12:35:41 2014
type=PROCTITLE msg=audit(1417174541.965:835): proctitle=73616E6C6F636B006461656D6F6E002D550073616E6C6F636B002D470073616E6C6F636B
type=SYSCALL msg=audit(1417174541.965:835): arch=c000003e syscall=2 success=no exit=-13 a0=7f0c59b6a3d0 a1=105002 a2=0 a3=1 items=0 ppid=1 pid=1686 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1417174541.965:835): avc:  denied  { search } for  pid=1686 comm="sanlock" name="vdsm" dev="tmpfs" ino=26123 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=0


Version-Release number of selected component (if applicable):
# rpm -qa | egrep "(vdsm|sanlock|selinux-policy)"|sort
libvirt-lock-sanlock-1.1.3.8-1.fc20.x86_64
sanlock-3.0.0-2.fc20.x86_64
sanlock-lib-3.0.0-2.fc20.x86_64
sanlock-python-3.0.0-2.fc20.x86_64
selinux-policy-3.12.1-193.fc20.noarch
selinux-policy-targeted-3.12.1-193.fc20.noarch
vdsm-4.17.0-51.gitf943da9.fc20.x86_64
vdsm-cli-4.17.0-51.gitf943da9.fc20.noarch
vdsm-infra-4.17.0-51.gitf943da9.fc20.noarch
vdsm-jsonrpc-4.17.0-51.gitf943da9.fc20.noarch
vdsm-python-4.17.0-51.gitf943da9.fc20.noarch
vdsm-xmlrpc-4.17.0-51.gitf943da9.fc20.noarch
vdsm-yajsonrpc-4.17.0-51.gitf943da9.fc20.noarch

How reproducible:
100%
Comment 1 Sandro Bonazzola 2014-11-28 11:47:50 UTC 
Looks like something related to bug #1005950
Comment 2 Daniel Walsh 2015-01-02 14:45:47 UTC 
e177a276a72197fc831f7b596d4a44ee5f5e70f1 fixes this in git.
Comment 3 Lukas Vrabec 2015-01-23 21:23:23 UTC 
commit 67bb57276e0402416d481e62cc3bebfbe7dd47fb
Author: Dan Walsh <dwalsh>
Date:   Fri Jan 2 09:45:26 2015 -0500

    Allow sanlock to read virt pid files
Comment 4 Fedora Update System 2015-01-27 16:57:02 UTC 
selinux-policy-3.12.1-197.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-197.fc20
Comment 5 Fedora Update System 2015-01-30 04:41:55 UTC 
Package selinux-policy-3.12.1-197.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-197.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1398/selinux-policy-3.12.1-197.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2015-03-10 00:56:10 UTC 
selinux-policy-3.12.1-197.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.