Bug 1455994 - selinux AVC denial seen when qemu-kvm process tries to write in to /var/run/gluster
Summary: selinux AVC denial seen when qemu-kvm process tries to write in to /var/run/g...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: Gluster-HC-3 1456199 RHHI-1.1-Approved-Backlog-BZs
TreeView+ depends on / blocked
 
Reported: 2017-05-26 15:18 UTC by SATHEESARAN
Modified: 2017-08-28 10:26 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:26:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description SATHEESARAN 2017-05-26 15:18:01 UTC
Description of problem:
-----------------------
When triggering the statedump of gfapi application(QEMU), avc denial logged in audit.log and statedump is not dumped in to /var/run/gluster

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
RHEL 7.3 ( 3.10.0-514.16.1.el7.x86_64 )
libselinux-utils-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.16.noarch
libselinux-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
RHGS 3.3.0 interim build ( glusterfs-3.8.4-25.el7rhgs )

How reproducible:
------------------
Always

Steps to Reproduce:
-------------------
1. Create a QEMU process that uses QEMU driver for glusterfs (libgfapi)
2. Trigger gfapi application statedump from gluster node

Actual results:
---------------
No gfapi statedump under /var/run/gluster and AVC denial message logged in audit.log

Expected results:
-----------------
gfapi application should dump the statedump under /var/run/gluster


Additional info:
----------------
Snip from audit.log
<snip>
type=AVC msg=audit(1495796194.193:981): avc:  denied  { write } for  pid=14873 comm="qemu-kvm" name="gluster" dev="tmpfs" ino=109984 scontext=system_u:system_r:svirt_t:s0:c399,c698 tcontext=system_u:object_r:glusterd_var_run_t:s0 tclass=dir
</snip>

Comment 2 SATHEESARAN 2017-05-27 16:00:32 UTC
Tested with RHEL 7.4 and still the issue persists

List of rpms along with its version in RHEL 7.4 Beta setup:

kernel-tools-3.10.0-671.el7.x86_64
kernel-tools-libs-3.10.0-671.el7.x86_64
kernel-3.10.0-671.el7.x86_64

selinux-policy-targeted-3.13.1-152.el7.noarch
libselinux-utils-2.5-11.el7.x86_64
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-152.el7.noarch
glusterfs-libs-3.8.4-25.el7.x86_64
glusterfs-client-xlators-3.8.4-25.el7.x86_64
glusterfs-fuse-3.8.4-25.el7.x86_64
glusterfs-3.8.4-25.el7.x86_64

libvirt-daemon-driver-qemu-3.2.0-6.el7.x86_64
qemu-kvm-common-1.5.3-139.el7.x86_64
qemu-kvm-1.5.3-139.el7.x86_64
ipxe-roms-qemu-20170123-1.git4e85b27.el7.noarch
qemu-img-1.5.3-139.el7.x86_64

Comment 8 errata-xmlrpc 2017-08-01 15:26:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.