Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1484075 - [RFE] Add S3 PR support to qemu (similar to mpathpersist)
[RFE] Add S3 PR support to qemu (similar to mpathpersist)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
All Linux
urgent Severity high
: rc
: 7.5
Assigned To: Lukas Vrabec
Milos Malik
: FutureFeature, Reopened
Depends On: 1519019 1464908
Blocks: RHEV_SCSI_reserve_Win_DirectLUN RHEV_SCSI_reserve_Win_SharedDisk 1420851 1519021 1457437 1470007
  Show dependency treegraph
 
Reported: 2017-08-22 11:45 EDT by Paolo Bonzini
Modified: 2018-04-10 08:40 EDT (History)
23 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1464908
Environment:
Last Closed: 2018-04-10 08:38:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:40 EDT

  None (edit)
Description Paolo Bonzini 2017-08-22 11:45:26 EDT 
A new daemon will be added to the qemu-kvm package.

The daemon should in general have the same permissions as the lvm_t context.  Based on some experiments with setroubleshoot, this is what it found

  require {
   	type paolo_t;
	type fixed_disk_device_t;
	type var_run_t;
	type lvm_control_t;
	type sysctl_fs_t;
	type user_home_t;
	type udev_var_run_t;
	type lvm_var_run_t;
	class file { execute getattr open read };
	class chr_file { getattr ioctl open read write };
	class dir { add_name remove_name write };
	class sock_file { create unlink };
	class process setcap;
	class capability { setpcap sys_admin sys_rawio };
	class blk_file { getattr ioctl open read write };
  }

  allow paolo_t fixed_disk_device_t:blk_file { getattr ioctl open read write };
  allow paolo_t lvm_control_t:chr_file { getattr ioctl open read write };
  allow paolo_t lvm_t:unix_stream_socket connectto;
  allow paolo_t self:capability { setpcap sys_admin sys_rawio };
  allow paolo_t self:process setcap;
  allow paolo_t sysctl_fs_t:file { getattr open read };
  allow paolo_t udev_var_run_t:file { getattr open read };
  allow paolo_t lvm_var_run_t:sock_file unlink;
  allow paolo_t var_run_t:dir { add_name remove_name write };
  allow paolo_t var_run_t:sock_file create;

The lvm_var_run_t and var_run_t entries are due to the daemon's socket, which is
/var/run/qemu/qemu-pr-helper.sock.

Any qemu_t should be able to connect to this socket, because all operations that the daemon does are on file descriptors that QEMU already has. If that's not possible, it's okay to hide it behind a boolean that RHV can enable.
Comment 2 Paolo Bonzini 2017-08-22 12:29:22 EDT 
Upstream libvirt discussion:
https://www.redhat.com/archives/libvir-list/2017-August/msg00631.html
Comment 10 Paolo Bonzini 2017-10-12 12:42:30 EDT 
The daemon is now in Fedora 27.  For testing instructions, see
bug 1464908 comment 4.  Let me know (outside BZ) if you need more configuration instructions.
Comment 11 Lukas Vrabec 2017-10-18 16:55:52 EDT 
Issue is fixed in Fedora. We can backport it. Adding devel_ack+
Comment 13 Paolo Bonzini 2017-10-19 03:34:17 EDT 
Upstream commit:
https://github.com/fedora-selinux/selinux-policy-contrib/commit/bc1f8eb8a
Comment 22 errata-xmlrpc 2018-04-10 08:38:21 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.