1305768 – Couldn't create local storage domain with SELinux enforcing

Bug 1305768 - Couldn't create local storage domain with SELinux enforcing

Summary: Couldn't create local storage domain with SELinux enforcing

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	vdsm
Classification:	oVirt
Component:	General
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ovirt-4.0.0-alpha
Target Release:	4.17.999
Assignee:	Amit Aviram
QA Contact:	Elad
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1278051 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-09 08:07 UTC by Sandro Bonazzola
Modified:	2016-08-10 15:14 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ovirt 4.0.0 alpha1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-05 07:47:47 UTC
oVirt Team:	Storage
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.0.0+ rule-engine: planning_ack+ rule-engine: devel_ack+ acanan: testing_ack+

Attachments	(Terms of Use)
sosreport -o ovirt,vdsm (4.96 MB, application/x-xz) 2016-02-09 08:07 UTC, Sandro Bonazzola	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	53688	0	None	None	None	2016-02-18 08:36:33 UTC

Description Sandro Bonazzola 2016-02-09 08:07:51 UTC

Created attachment 1122349 [details]
sosreport -o ovirt,vdsm

While testing oVirt Live patches I've seen errors while creating a local storage domain with SELinux enforcing.
Moving SELinux to permissive solved the issue.

Attaching sosreport for vdsm and engine.

Comment 1 Nir Soffer 2016-02-10 07:31:43 UTC

Can you repeat the failed attempt and share the output of:

    ausearch -m AVC

Comment 2 Amit Aviram 2016-02-14 10:29:19 UTC

Hi Sandro
Can you please provide more information for the bug reproduction?
When you added the host to the system, SELinux was enforcing? or did you set it to enforce only after?

Comment 3 Amit Aviram 2016-02-14 10:51:39 UTC

How reproducible:
100%

Steps to reproduce:
- Add a host to the system with SELinux enfocing, put it on maintenance mode.
- Configure a local storage to that host:
- - At the host run:
- - - mkdir -p /data/images
- - - chown 36:36 /data /data/images
- - - chmod 0755 /data /data/images
- - Configure the path of the local storage to be "/data/images"
- - Press "OK"


Actual results:
Datacenter fails to initialize.

Expected results:
Datacenter should be initialized successfully.

Comment 4 Nir Soffer 2016-02-14 17:31:28 UTC

Amit, Sandro, we need the AVC report from selinux, see comment 1.

Comment 5 Amit Aviram 2016-02-15 07:14:53 UTC

Output of ausearch, after a failed operation:
---
time->Mon Feb 15 09:10:25 2016
type=SYSCALL msg=audit(1455520225.877:2526): arch=c000003e syscall=2 success=no exit=-13 a0=7eff940009c8 a1=105002 a2=0 a3=1 items=0 ppid=1 pid=31557 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1455520225.877:2526): avc:  denied  { read write } for  pid=31557 comm="sanlock" name="ids" dev="dm-0" ino=783401 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
---

Output after a successful operation:
---------
time->Mon Feb 15 09:12:54 2016
type=SYSCALL msg=audit(1455520374.244:2584): arch=c000003e syscall=5 success=yes exit=0 a0=c a1=7effa6384ad0 a2=7effa6384ad0 a3=0 items=0 ppid=1 pid=31652 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1455520374.244:2584): avc:  denied  { getattr } for  pid=31652 comm="sanlock" path="/data/images/74f9a70d-671b-4b4f-8b95-9836ff5deac7/dom_md/ids" dev="dm-0" ino=783403 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file

Comment 6 Fred Rolland 2016-02-15 08:35:39 UTC

See also:

https://bugzilla.redhat.com/show_bug.cgi?id=1278051

I checked local storage on RHEL 7.2 with SELInux Enforcing and it worked fine.

Comment 7 Amit Aviram 2016-02-15 14:28:39 UTC

Seems like the issue still exists in 7.2 updated environment ..

Comment 8 Miroslav Grepl 2016-02-15 14:36:56 UTC

Ok, it means there is not a policy rule allowing sanlock_t to access generic default_t type.

We need to find a writeable file type label for sanlock.


# chcon -R -t virt_var_lib_t /data/images

for testing.

Comment 9 Amit Aviram 2016-02-15 14:59:19 UTC

So Miroslav, (In reply to Miroslav Grepl from comment #8)
> Ok, it means there is not a policy rule allowing sanlock_t to access generic
> default_t type.
> 
> We need to find a writeable file type label for sanlock.
> 
> 
> # chcon -R -t virt_var_lib_t /data/images
> 
> for testing.

This makes the flow to succeed, with SELinux enforcing.
Miroslav- does that something to be done on our side or yours?

Thanks a lot.

Comment 10 Miroslav Grepl 2016-02-15 17:10:51 UTC

(In reply to Amit Aviram from comment #9)
> So Miroslav, (In reply to Miroslav Grepl from comment #8)
> > Ok, it means there is not a policy rule allowing sanlock_t to access generic
> > default_t type.
> > 
> > We need to find a writeable file type label for sanlock.
> > 
> > 
> > # chcon -R -t virt_var_lib_t /data/images
> > 
> > for testing.
> 
> This makes the flow to succeed, with SELinux enforcing.
> Miroslav- does that something to be done on our side or yours?
> 
> Thanks a lot.

Yes, it should a part of a script.

mkdir -p /data/images

semanage fcontext -a -t virt_var_lib_t "/data/images(/.*)?
restorecon -R -v /data/images

Comment 11 Fred Rolland 2016-02-17 12:41:30 UTC

*** Bug 1278051 has been marked as a duplicate of this bug. ***

Comment 12 Amit Aviram 2016-02-18 08:06:19 UTC

We have found out that all of this SELinux label managing is just unnecessary, as the bug is that we are even trying to use sanlock for locking local storage. patch is posted.

Comment 13 Allon Mureinik 2016-02-21 11:51:08 UTC

Is this a regression in 4.0, or does it reproduce in 3.6.z too? If so, the patch should be backported.

Comment 14 Amit Aviram 2016-02-21 11:59:29 UTC

It does not reproduce in 3.6, the patch which introduced this bug exists only in master. (the exact bug is mentioned in my comment in gerrit)

Comment 15 Elad 2016-04-14 11:52:44 UTC

Local DC initialization succeeds using:
vdsm-4.17.999-917.gitc116919.el7.centos.noarch 
selinux-policy-3.13.1-60.el7.noarch
ovirt-engine-4.0.0-0.0.master.20160406161747.gita4ecba2.el7.centos.noarch

Comment 16 Sandro Bonazzola 2016-07-05 07:47:47 UTC

oVirt 4.0.0 has been released, closing current release.

Comment 17 ahauser 2016-08-10 08:05:57 UTC

(In reply to Amit Aviram from comment #14)
> It does not reproduce in 3.6, the patch which introduced this bug exists
> only in master. (the exact bug is mentioned in my comment in gerrit)

I'm affected by this bug on 3.6.8.1-0.1.el6. 
Setting SELinux to Permissive solve the issue.

I think this bug should be opened.

Comment 18 Allon Mureinik 2016-08-10 15:14:36 UTC

(In reply to ahauser from comment #17)
> (In reply to Amit Aviram from comment #14)
> > It does not reproduce in 3.6, the patch which introduced this bug exists
> > only in master. (the exact bug is mentioned in my comment in gerrit)
> 
> I'm affected by this bug on 3.6.8.1-0.1.el6. 
> Setting SELinux to Permissive solve the issue.
> 
> I think this bug should be opened.
It's a mute point by now, unfortunately. It's solved in 4.0 and there are no more 3.6.z releases. 

Updating to any vdsm-14.18.z should solve the issue on your env.

Note You need to log in before you can comment on or make changes to this bug.