Bug 1376403 - selinux prevents nova to use virtlogd
Summary: selinux prevents nova to use virtlogd
Keywords:
Status: CLOSED DUPLICATE of bug 1375766
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: ---
: 10.0 (Newton)
Assignee: Ryan Hallisey
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-15 11:31 UTC by Attila Fazekas
Modified: 2017-12-27 13:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-15 17:23:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Attila Fazekas 2016-09-15 11:31:34 UTC 
Description of problem:
Selinux prevented nova to use virtlogd,
nova should be able to use it.


Version-Release number of selected component (if applicable):
libvirt-client-2.0.0-4.el7.x86_64
openstack-nova-console-14.0.0-0.20160907211856.14d816e.el7ost.noarch
openstack-nova-network-14.0.0-0.20160907211856.14d816e.el7ost.noarch
libvirt-daemon-driver-network-2.0.0-4.el7.x86_64
openstack-nova-compute-14.0.0-0.20160907211856.14d816e.el7ost.noarch
libselinux-ruby-2.5-4.el7.x86_64
python-nova-14.0.0-0.20160907211856.14d816e.el7ost.noarch
openstack-nova-conductor-14.0.0-0.20160907211856.14d816e.el7ost.noarch
libvirt-daemon-driver-nodedev-2.0.0-4.el7.x86_64
libvirt-daemon-driver-storage-2.0.0-4.el7.x86_64
libvirt-daemon-kvm-2.0.0-4.el7.x86_64
libselinux-2.5-4.el7.x86_64
selinux-policy-targeted-3.13.1-93.el7.noarch
openstack-selinux-0.7.7-1.el7ost.noarch
openstack-nova-novncproxy-14.0.0-0.20160907211856.14d816e.el7ost.noarch
openstack-nova-api-14.0.0-0.20160907211856.14d816e.el7ost.noarch
libvirt-daemon-driver-nwfilter-2.0.0-4.el7.x86_64
libvirt-daemon-driver-qemu-2.0.0-4.el7.x86_64
puppet-nova-9.2.0-0.20160903010657.a8e3d48.el7ost.noarch
libselinux-devel-2.5-4.el7.x86_64
openstack-nova-common-14.0.0-0.20160907211856.14d816e.el7ost.noarch
openstack-nova-scheduler-14.0.0-0.20160907211856.14d816e.el7ost.noarch
libvirt-daemon-config-nwfilter-2.0.0-4.el7.x86_64
openstack-nova-cert-14.0.0-0.20160907211856.14d816e.el7ost.noarch
selinux-policy-3.13.1-93.el7.noarch
libvirt-python-2.0.0-2.el7.x86_64
libselinux-utils-2.5-4.el7.x86_64
libselinux-python-2.5-4.el7.x86_64
python-novaclient-6.0.0-0.20160902092852.25117fa.el7ost.noarch
libvirt-daemon-2.0.0-4.el7.x86_64
libvirt-daemon-driver-interface-2.0.0-4.el7.x86_64
libvirt-daemon-driver-secret-2.0.0-4.el7.x86_64


How reproducible:
always

Steps to Reproduce:
1. try to boot a vm
nova boot --flavor 2eb3e78b-515c-4340-977e-5cccb9936683 --image 8155d7d0-37d2-459d-a491-bfc3ad062c3e foo5

Actual results:
/var/log/nova/nova-compute.log:
2016-09-15 06:11:02.558 26104 ERROR nova.compute.manager [instance: 102910b7-f0de-4d4c-9a26-c9171aa64c25]   File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1065, in createWithFlags
2016-09-15 06:11:02.558 26104 ERROR nova.compute.manager [instance: 102910b7-f0de-4d4c-9a26-c9171aa64c25]     if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self)
2016-09-15 06:11:02.558 26104 ERROR nova.compute.manager [instance: 102910b7-f0de-4d4c-9a26-c9171aa64c25] libvirtError: Unable to open file: /var/lib/nova/instances/102910b7-f0de-4d4c-9a26-c9171aa64c25/console.log: Permission denied



Expected results:
Nova able to use virtlogd.

Additional info:
# audit2allow  -v -e -a


#============= virtlogd_t ==============
# audit(1473934176.214:11238):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="dir" perms="search"
#  comm="virtlogd" exe="" path=""
#  message="type=AVC msg=audit(1473934176.214:11238): avc:  denied  { search }
#   for  pid=25752 comm="virtlogd" name="nova" dev="vda1" ino=900514
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=dir"
# audit(1473934262.327:11390):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="dir" perms="search"
#  comm="virtlogd" exe="" path=""
#  message="type=AVC msg=audit(1473934262.327:11390): avc:  denied  { search }
#   for  pid=25752 comm="virtlogd" name="nova" dev="vda1" ino=900514
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=dir"
allow virtlogd_t nova_var_lib_t:dir search;
# audit(1473934343.309:11542):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="open"
#  comm="virtlogd" exe="" path="/var/lib/nova/instances/1934ba36-d579-4c25-981c-67ae9800ae89/console.log"
#  message="type=AVC msg=audit(1473934343.309:11542): avc:  denied  { open } for
#   pid=25752 comm="virtlogd" path="/var/lib/nova/instances/1934ba36-d579-4c25
#   -981c-67ae9800ae89/console.log" dev="vda1" ino=1025725
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473934343.309:11542):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="append"
#  comm="virtlogd" exe="" path=""
#  message="type=AVC msg=audit(1473934343.309:11542): avc:  denied  { append }
#   for  pid=25752 comm="virtlogd" name="console.log" dev="vda1" ino=1025725
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473934343.310:11543):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="getattr"
#  comm="virtlogd" exe="" path="/var/lib/nova/instances/1934ba36-d579-4c25-981c-67ae9800ae89/console.log"
#  message="type=AVC msg=audit(1473934343.310:11543): avc:  denied  { getattr }
#   for  pid=25752 comm="virtlogd"
#   path="/var/lib/nova/instances/1934ba36-d579-4c25-981c-
#   67ae9800ae89/console.log" dev="vda1" ino=1025725
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473938042.799:12258):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="open"
#  comm="virtlogd" exe="" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log"
#  message="type=AVC msg=audit(1473938042.799:12258): avc:  denied  { open } for
#   pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-
#   4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473938042.799:12258):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="append"
#  comm="virtlogd" exe="" path=""
#  message="type=AVC msg=audit(1473938042.799:12258): avc:  denied  { append }
#   for  pid=25752 comm="virtlogd" name="console.log" dev="vda1" ino=1025731
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473938042.800:12259):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="getattr"
#  comm="virtlogd" exe="" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log"
#  message="type=AVC msg=audit(1473938042.800:12259): avc:  denied  { getattr }
#   for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-
#   4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473938061.837:12437):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="open"
#  comm="virtlogd" exe="" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log"
#  message="type=AVC msg=audit(1473938061.837:12437): avc:  denied  { open } for
#   pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-
#   4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473938061.837:12437):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="append"
#  comm="virtlogd" exe="" path=""
#  message="type=AVC msg=audit(1473938061.837:12437): avc:  denied  { append }
#   for  pid=25752 comm="virtlogd" name="console.log" dev="vda1" ino=1025731
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
# audit(1473938061.838:12438):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:object_r:nova_var_lib_t:s0"
#  class="file" perms="getattr"
#  comm="virtlogd" exe="" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log"
#  message="type=AVC msg=audit(1473938061.838:12438): avc:  denied  { getattr }
#   for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-
#   4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file"
allow virtlogd_t nova_var_lib_t:file { append getattr open };
# audit(1473934343.309:11542):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023"
#  class="capability" perms="dac_override"
#  comm="virtlogd" exe="" path=""
#  message="type=AVC msg=audit(1473934343.309:11542): avc:  denied  {
#   dac_override } for  pid=25752 comm="virtlogd" capability=1
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability"
# audit(1473938042.799:12258):
#  scontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023" tcontext="system_u:system_r:virtlogd_t:s0-s0:c0.c1023"
#  class="capability" perms="dac_override"
#  comm="virtlogd" exe="" path=""
#  message="type=AVC msg=audit(1473938042.799:12258): avc:  denied  {
#   dac_override } for  pid=25752 comm="virtlogd" capability=1
#   scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
#   tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability"
allow virtlogd_t self:capability dac_override;

# audit2allow  -w -a
type=AVC msg=audit(1473934176.214:11238): avc:  denied  { search } for  pid=25752 comm="virtlogd" name="nova" dev="vda1" ino=900514 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473934262.327:11390): avc:  denied  { search } for  pid=25752 comm="virtlogd" name="nova" dev="vda1" ino=900514 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473934343.309:11542): avc:  denied  { open } for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/1934ba36-d579-4c25-981c-67ae9800ae89/console.log" dev="vda1" ino=1025725 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473934343.309:11542): avc:  denied  { append } for  pid=25752 comm="virtlogd" name="console.log" dev="vda1" ino=1025725 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473934343.309:11542): avc:  denied  { dac_override } for  pid=25752 comm="virtlogd" capability=1  scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473934343.310:11543): avc:  denied  { getattr } for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/1934ba36-d579-4c25-981c-67ae9800ae89/console.log" dev="vda1" ino=1025725 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473938042.799:12258): avc:  denied  { open } for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473938042.799:12258): avc:  denied  { append } for  pid=25752 comm="virtlogd" name="console.log" dev="vda1" ino=1025731 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473938042.799:12258): avc:  denied  { dac_override } for  pid=25752 comm="virtlogd" capability=1  scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473938042.800:12259): avc:  denied  { getattr } for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473938061.837:12437): avc:  denied  { open } for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473938061.837:12437): avc:  denied  { append } for  pid=25752 comm="virtlogd" name="console.log" dev="vda1" ino=1025731 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1473938061.838:12438): avc:  denied  { getattr } for  pid=25752 comm="virtlogd" path="/var/lib/nova/instances/874c37c5-427c-4e21-a474-3365842a956f/console.log" dev="vda1" ino=1025731 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nova_var_lib_t:s0 tclass=file
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

[root@18d40791866922f30b245a9a78536be7aio-1 tempest-dir(keystone_admin)]# audit2allow  -v -a


#============= virtlogd_t ==============
# src="virtlogd_t" tgt="nova_var_lib_t" class="dir", perms="search"
# comm="virtlogd" exe="" path=""
allow virtlogd_t nova_var_lib_t:dir search;
# src="virtlogd_t" tgt="nova_var_lib_t" class="file", perms="{ append getattr open }"
# comm="virtlogd" exe="" path="/var/lib/nova/instances/1934ba36-d579-4c25-981c-67ae9800ae89/console.log"
allow virtlogd_t nova_var_lib_t:file { append getattr open };
# src="virtlogd_t" tgt="virtlogd_t" class="capability", perms="dac_override"
# comm="virtlogd" exe="" path=""
allow virtlogd_t self:capability dac_override;
Comment 2 Ryan Hallisey 2016-09-15 17:23:10 UTC 

*** This bug has been marked as a duplicate of bug 1375766 ***
Note You need to log in before you can comment on or make changes to this bug.