Bug 1484075 - [RFE] Add S3 PR support to qemu (similar to mpathpersist)
Summary: [RFE] Add S3 PR support to qemu (similar to mpathpersist)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: 7.5
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1464908 1519019
Blocks: 1420851 RHEV_SCSI_reserve_Win_DirectLUN RHEV_SCSI_reserve_Win_SharedDisk 1457437 1470007 1519021
TreeView+ depends on / blocked
 
Reported: 2017-08-22 15:45 UTC by Paolo Bonzini
Modified: 2018-04-10 12:40 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1464908
Environment:
Last Closed: 2018-04-10 12:38:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 12:40:51 UTC

Description Paolo Bonzini 2017-08-22 15:45:26 UTC
A new daemon will be added to the qemu-kvm package.

The daemon should in general have the same permissions as the lvm_t context.  Based on some experiments with setroubleshoot, this is what it found

  require {
   	type paolo_t;
	type fixed_disk_device_t;
	type var_run_t;
	type lvm_control_t;
	type sysctl_fs_t;
	type user_home_t;
	type udev_var_run_t;
	type lvm_var_run_t;
	class file { execute getattr open read };
	class chr_file { getattr ioctl open read write };
	class dir { add_name remove_name write };
	class sock_file { create unlink };
	class process setcap;
	class capability { setpcap sys_admin sys_rawio };
	class blk_file { getattr ioctl open read write };
  }

  allow paolo_t fixed_disk_device_t:blk_file { getattr ioctl open read write };
  allow paolo_t lvm_control_t:chr_file { getattr ioctl open read write };
  allow paolo_t lvm_t:unix_stream_socket connectto;
  allow paolo_t self:capability { setpcap sys_admin sys_rawio };
  allow paolo_t self:process setcap;
  allow paolo_t sysctl_fs_t:file { getattr open read };
  allow paolo_t udev_var_run_t:file { getattr open read };
  allow paolo_t lvm_var_run_t:sock_file unlink;
  allow paolo_t var_run_t:dir { add_name remove_name write };
  allow paolo_t var_run_t:sock_file create;

The lvm_var_run_t and var_run_t entries are due to the daemon's socket, which is
/var/run/qemu/qemu-pr-helper.sock.

Any qemu_t should be able to connect to this socket, because all operations that the daemon does are on file descriptors that QEMU already has. If that's not possible, it's okay to hide it behind a boolean that RHV can enable.

Comment 2 Paolo Bonzini 2017-08-22 16:29:22 UTC
Upstream libvirt discussion:
https://www.redhat.com/archives/libvir-list/2017-August/msg00631.html

Comment 10 Paolo Bonzini 2017-10-12 16:42:30 UTC
The daemon is now in Fedora 27.  For testing instructions, see
bug 1464908 comment 4.  Let me know (outside BZ) if you need more configuration instructions.

Comment 11 Lukas Vrabec 2017-10-18 20:55:52 UTC
Issue is fixed in Fedora. We can backport it. Adding devel_ack+

Comment 13 Paolo Bonzini 2017-10-19 07:34:17 UTC
Upstream commit:
https://github.com/fedora-selinux/selinux-policy-contrib/commit/bc1f8eb8a

Comment 22 errata-xmlrpc 2018-04-10 12:38:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763


Note You need to log in before you can comment on or make changes to this bug.