Bug 1465276 - vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest
vhostmd having no permission to write metrics after attaching /dev/shm/vhostm...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-27 01:58 EDT by yafu
Modified: 2017-11-06 10:10 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description yafu 2017-06-27 01:58:22 EDT
Description of problem:
vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-165.el7.noarch
libvirt-3.2.0-14.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Install vhostmd and start vhostmd service:
#yum -y install vhostmd
#systemctl start vhostmd

2.Check the selinux context of /dev/shm/vhostmd0:
#ll -Z /dev/shm/vhostmd0 
-rw-r--r--. root root system_u:object_r:vhostmd_tmpfs_t:s0 /dev/shm/vhostmd0

3.Attach /dev/shm/vhostmd0 to a running guest
#cat disk-vhostmd.xml
 <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/dev/shm/vhostmd0'/>
      <target dev='vdb' bus='virtio'/>
  </disk>
#virsh attach-device full-73 disk-vhostmd.xml 
Device attached successfully

# virsh domblklist full-73
Target     Source
------------------------------------------------
hdc        /var/lib/libvirt/images/shareable.iso
vda        /nfs-images/yafu/rhel7.2.qcow2
vdb        /dev/shm/vhostmd0

4.Check the selinux context of /dev/shm/vhostmd0 after step3:
# ll -Z /dev/shm/vhostmd0 
-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c195,c606 /dev/shm/vhos

5.Check the vhostmd service status after step 4:
#systemctl status vhostmd
# systemctl status vhostmd
● vhostmd.service - LSB: Virtualization host metrics daemon
   Loaded: loaded (/etc/rc.d/init.d/vhostmd; bad; vendor preset: disabled)
   Active: active (running) since Tue 2017-06-27 10:32:07 CST; 47min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 29477 ExecStop=/etc/rc.d/init.d/vhostmd stop (code=exited, status=0/SUCCESS)
  Process: 29489 ExecStart=/etc/rc.d/init.d/vhostmd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/vhostmd.service
           └─29502 /usr/sbin/vhostmd --user vhostmd --connect qemu:///system

Jun 27 11:10:20 localhost.localdomain vhostmd[29502]: Error writing metrics disk header sig: Permission denied
Jun 27 11:11:20 localhost.localdomain vhostmd[29502]: Error writing metrics disk header sig: Permission denied
...

Actual results:
vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Expected results:
vhostmd should have permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Additional info:
1.See the error info in the syslog:
#cat /var/log/messages
...
Jun 27 11:20:40 localhost setroubleshoot: failed to retrieve rpm info for /dev/shm/vhostmd0
Jun 27 11:20:40 localhost setroubleshoot: SELinux is preventing /usr/sbin/vhostmd from write access on the file /dev/shm/vhostmd0. For complete SELinux messages run: sealert -l 9f9673b0-4e00-41f0-bb9e-ade129b66c28
Jun 27 11:20:40 localhost python: SELinux is preventing /usr/sbin/vhostmd from write access on the file /dev/shm/vhostmd0.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vhostmd should be allowed write access on the vhostmd0 file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vhostmd' --raw | audit2allow -M my-vhostmd#012# semodule -i my-vhostmd.pp#012
...
Comment 2 Milos Malik 2017-06-27 02:37:26 EDT
Could you re-run your scenario in permissive mode and collect SELinux denials in raw form?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.
Comment 3 yafu 2017-06-27 04:21:47 EDT
(In reply to Milos Malik from comment #2)
> Could you re-run your scenario in permissive mode and collect SELinux
> denials in raw form?
> 
> # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
> 
> Thank you.

The selinux denials in raw form is as follows:
type=PROCTITLE msg=audit(06/27/2017 15:15:18.457:12111) : proctitle=/usr/sbin/vhostmd --user vhostmd --connect qemu:///system 
type=SYSCALL msg=audit(06/27/2017 15:15:18.457:12111) : arch=x86_64 syscall=write success=yes exit=4 a0=0x4 a1=0x607354 a2=0x4 a3=0x5 items=0 ppid=1 pid=6372 auid=unset uid=vhostmd gid=vhostmd euid=vhostmd suid=vhostmd fsuid=vhostmd egid=vhostmd sgid=vhostmd fsgid=vhostmd tty=(none) ses=unset comm=vhostmd exe=/usr/sbin/vhostmd subj=system_u:system_r:vhostmd_t:s0 key=(null) 
type=AVC msg=audit(06/27/2017 15:15:18.457:12111) : avc:  denied  { write } for  pid=6372 comm=vhostmd path=/dev/shm/vhostmd0 dev="tmpfs" ino=923805 scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c180,c696 tclass=file

Note You need to log in before you can comment on or make changes to this bug.