Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1465276

Summary: vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest
Product: Red Hat Enterprise Linux 7 Reporter: yafu <yafu>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dyuan, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, xchen, yafu, zpeng
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-205.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:00:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yafu 2017-06-27 05:58:22 UTC 
Description of problem:
vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-165.el7.noarch
libvirt-3.2.0-14.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Install vhostmd and start vhostmd service:
#yum -y install vhostmd
#systemctl start vhostmd

2.Check the selinux context of /dev/shm/vhostmd0:
#ll -Z /dev/shm/vhostmd0 
-rw-r--r--. root root system_u:object_r:vhostmd_tmpfs_t:s0 /dev/shm/vhostmd0

3.Attach /dev/shm/vhostmd0 to a running guest
#cat disk-vhostmd.xml
 <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/dev/shm/vhostmd0'/>
      <target dev='vdb' bus='virtio'/>
  </disk>
#virsh attach-device full-73 disk-vhostmd.xml 
Device attached successfully

# virsh domblklist full-73
Target     Source
------------------------------------------------
hdc        /var/lib/libvirt/images/shareable.iso
vda        /nfs-images/yafu/rhel7.2.qcow2
vdb        /dev/shm/vhostmd0

4.Check the selinux context of /dev/shm/vhostmd0 after step3:
# ll -Z /dev/shm/vhostmd0 
-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c195,c606 /dev/shm/vhos

5.Check the vhostmd service status after step 4:
#systemctl status vhostmd
# systemctl status vhostmd
● vhostmd.service - LSB: Virtualization host metrics daemon
   Loaded: loaded (/etc/rc.d/init.d/vhostmd; bad; vendor preset: disabled)
   Active: active (running) since Tue 2017-06-27 10:32:07 CST; 47min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 29477 ExecStop=/etc/rc.d/init.d/vhostmd stop (code=exited, status=0/SUCCESS)
  Process: 29489 ExecStart=/etc/rc.d/init.d/vhostmd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/vhostmd.service
           └─29502 /usr/sbin/vhostmd --user vhostmd --connect qemu:///system

Jun 27 11:10:20 localhost.localdomain vhostmd[29502]: Error writing metrics disk header sig: Permission denied
Jun 27 11:11:20 localhost.localdomain vhostmd[29502]: Error writing metrics disk header sig: Permission denied
...

Actual results:
vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Expected results:
vhostmd should have permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Additional info:
1.See the error info in the syslog:
#cat /var/log/messages
...
Jun 27 11:20:40 localhost setroubleshoot: failed to retrieve rpm info for /dev/shm/vhostmd0
Jun 27 11:20:40 localhost setroubleshoot: SELinux is preventing /usr/sbin/vhostmd from write access on the file /dev/shm/vhostmd0. For complete SELinux messages run: sealert -l 9f9673b0-4e00-41f0-bb9e-ade129b66c28
Jun 27 11:20:40 localhost python: SELinux is preventing /usr/sbin/vhostmd from write access on the file /dev/shm/vhostmd0.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vhostmd should be allowed write access on the vhostmd0 file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vhostmd' --raw | audit2allow -M my-vhostmd#012# semodule -i my-vhostmd.pp#012
...
Comment 2 Milos Malik 2017-06-27 06:37:26 UTC 
Could you re-run your scenario in permissive mode and collect SELinux denials in raw form?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.
Comment 3 yafu 2017-06-27 08:21:47 UTC 
(In reply to Milos Malik from comment #2)
> Could you re-run your scenario in permissive mode and collect SELinux
> denials in raw form?
> 
> # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
> 
> Thank you.

The selinux denials in raw form is as follows:
type=PROCTITLE msg=audit(06/27/2017 15:15:18.457:12111) : proctitle=/usr/sbin/vhostmd --user vhostmd --connect qemu:///system 
type=SYSCALL msg=audit(06/27/2017 15:15:18.457:12111) : arch=x86_64 syscall=write success=yes exit=4 a0=0x4 a1=0x607354 a2=0x4 a3=0x5 items=0 ppid=1 pid=6372 auid=unset uid=vhostmd gid=vhostmd euid=vhostmd suid=vhostmd fsuid=vhostmd egid=vhostmd sgid=vhostmd fsgid=vhostmd tty=(none) ses=unset comm=vhostmd exe=/usr/sbin/vhostmd subj=system_u:system_r:vhostmd_t:s0 key=(null) 
type=AVC msg=audit(06/27/2017 15:15:18.457:12111) : avc:  denied  { write } for  pid=6372 comm=vhostmd path=/dev/shm/vhostmd0 dev="tmpfs" ino=923805 scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c180,c696 tclass=file
Comment 9 errata-xmlrpc 2018-10-30 10:00:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111