Bug 1465276 - vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest
Summary: vhostmd having no permission to write metrics after attaching /dev/shm/vhostm...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-27 05:58 UTC by yafu
Modified: 2018-10-30 10:02 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-205.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:00:43 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:02:09 UTC

Description yafu 2017-06-27 05:58:22 UTC
Description of problem:
vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-165.el7.noarch
libvirt-3.2.0-14.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Install vhostmd and start vhostmd service:
#yum -y install vhostmd
#systemctl start vhostmd

2.Check the selinux context of /dev/shm/vhostmd0:
#ll -Z /dev/shm/vhostmd0 
-rw-r--r--. root root system_u:object_r:vhostmd_tmpfs_t:s0 /dev/shm/vhostmd0

3.Attach /dev/shm/vhostmd0 to a running guest
#cat disk-vhostmd.xml
 <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/dev/shm/vhostmd0'/>
      <target dev='vdb' bus='virtio'/>
  </disk>
#virsh attach-device full-73 disk-vhostmd.xml 
Device attached successfully

# virsh domblklist full-73
Target     Source
------------------------------------------------
hdc        /var/lib/libvirt/images/shareable.iso
vda        /nfs-images/yafu/rhel7.2.qcow2
vdb        /dev/shm/vhostmd0

4.Check the selinux context of /dev/shm/vhostmd0 after step3:
# ll -Z /dev/shm/vhostmd0 
-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c195,c606 /dev/shm/vhos

5.Check the vhostmd service status after step 4:
#systemctl status vhostmd
# systemctl status vhostmd
● vhostmd.service - LSB: Virtualization host metrics daemon
   Loaded: loaded (/etc/rc.d/init.d/vhostmd; bad; vendor preset: disabled)
   Active: active (running) since Tue 2017-06-27 10:32:07 CST; 47min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 29477 ExecStop=/etc/rc.d/init.d/vhostmd stop (code=exited, status=0/SUCCESS)
  Process: 29489 ExecStart=/etc/rc.d/init.d/vhostmd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/vhostmd.service
           └─29502 /usr/sbin/vhostmd --user vhostmd --connect qemu:///system

Jun 27 11:10:20 localhost.localdomain vhostmd[29502]: Error writing metrics disk header sig: Permission denied
Jun 27 11:11:20 localhost.localdomain vhostmd[29502]: Error writing metrics disk header sig: Permission denied
...

Actual results:
vhostmd having no permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Expected results:
vhostmd should have permission to write metrics after attaching /dev/shm/vhostmd0 to the guest.

Additional info:
1.See the error info in the syslog:
#cat /var/log/messages
...
Jun 27 11:20:40 localhost setroubleshoot: failed to retrieve rpm info for /dev/shm/vhostmd0
Jun 27 11:20:40 localhost setroubleshoot: SELinux is preventing /usr/sbin/vhostmd from write access on the file /dev/shm/vhostmd0. For complete SELinux messages run: sealert -l 9f9673b0-4e00-41f0-bb9e-ade129b66c28
Jun 27 11:20:40 localhost python: SELinux is preventing /usr/sbin/vhostmd from write access on the file /dev/shm/vhostmd0.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vhostmd should be allowed write access on the vhostmd0 file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vhostmd' --raw | audit2allow -M my-vhostmd#012# semodule -i my-vhostmd.pp#012
...

Comment 2 Milos Malik 2017-06-27 06:37:26 UTC
Could you re-run your scenario in permissive mode and collect SELinux denials in raw form?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.

Comment 3 yafu 2017-06-27 08:21:47 UTC
(In reply to Milos Malik from comment #2)
> Could you re-run your scenario in permissive mode and collect SELinux
> denials in raw form?
> 
> # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
> 
> Thank you.

The selinux denials in raw form is as follows:
type=PROCTITLE msg=audit(06/27/2017 15:15:18.457:12111) : proctitle=/usr/sbin/vhostmd --user vhostmd --connect qemu:///system 
type=SYSCALL msg=audit(06/27/2017 15:15:18.457:12111) : arch=x86_64 syscall=write success=yes exit=4 a0=0x4 a1=0x607354 a2=0x4 a3=0x5 items=0 ppid=1 pid=6372 auid=unset uid=vhostmd gid=vhostmd euid=vhostmd suid=vhostmd fsuid=vhostmd egid=vhostmd sgid=vhostmd fsgid=vhostmd tty=(none) ses=unset comm=vhostmd exe=/usr/sbin/vhostmd subj=system_u:system_r:vhostmd_t:s0 key=(null) 
type=AVC msg=audit(06/27/2017 15:15:18.457:12111) : avc:  denied  { write } for  pid=6372 comm=vhostmd path=/dev/shm/vhostmd0 dev="tmpfs" ino=923805 scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c180,c696 tclass=file

Comment 9 errata-xmlrpc 2018-10-30 10:00:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.