Bug 1539938 - [Hyper-V] hypervvssd and selinux denials
Summary: [Hyper-V] hypervvssd and selinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: All
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1477664
TreeView+ depends on / blocked
 
Reported: 2018-01-29 22:48 UTC by Chris Cheney
Modified: 2018-10-30 10:02 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:02:20 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:02:49 UTC

Description Chris Cheney 2018-01-29 22:48:20 UTC
Occurs every time a Checkpoint/DPM "creation" like action occurs.

---

Seeing the following error with the following packages installed:

selinux-policy-3.13.1-166.el7_4.5.noarch                    Sun Nov 26 03:14:59 2017
selinux-policy-targeted-3.13.1-166.el7_4.5.noarch           Sun Nov 26 03:15:05 2017


BZ #1331309 does not appear to have fixed this issue.

---

Dec 18 20:14:54 localhost journal: Hyper-V VSS: VSS: op=CHECK HOT BACKUP
Dec 18 20:14:54 localhost journal: Hyper-V VSS: FREEZE of /nfsdata/sftpprod failed; error:13 Permission denied
Dec 18 20:14:54 localhost journal: Hyper-V VSS: VSS: op=FREEZE: failed
Dec 18 20:14:54 localhost journal: Hyper-V VSS: op=5 failed!
Dec 18 20:14:54 localhost journal: Hyper-V VSS: report it with these files:
Dec 18 20:14:54 localhost journal: Hyper-V VSS: /etc/fstab and /proc/mounts

---

/etc/fstab entry

/dev/sdb1   /nfsdata/sftpprod                       xfs     defaults        0 0

/proc/mounts entry

/dev/sdb1 /nfsdata/sftpprod xfs rw,seclabel,relatime,attr2,inode64,noquota 0 0

---

# ausearch -m avc -ts recent
----
time->Tue Jan 23 18:09:26 2018
type=PROCTITLE msg=audit(1516748966.175:15729003): proctitle=2F7573722F7362696E2F68797065727676737364002D6E
type=PATH msg=audit(1516748966.175:15729003): item=0 name="/nfsdata/sftpprod" objtype=UNKNOWN
type=CWD msg=audit(1516748966.175:15729003):  cwd="/"
type=SYSCALL msg=audit(1516748966.175:15729003): arch=c000003e syscall=2 success=no exit=-13 a0=55bf9d9f525a a1=0 a2=0 a3=1e items=1 ppid=1 pid=189725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hypervvssd" exe="/usr/sbin/hypervvssd" subj=system_u:system_r:hypervvssd_t:s0 key=(null)
type=AVC msg=audit(1516748966.175:15729003): avc:  denied  { dac_read_search } for  pid=189725 comm="hypervvssd" capability=2  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability
type=AVC msg=audit(1516748966.175:15729003): avc:  denied  { dac_override } for  pid=189725 comm="hypervvssd" capability=1  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability
----
time->Tue Jan 23 18:09:26 2018
type=PROCTITLE msg=audit(1516748966.175:15729004): proctitle=2F7573722F7362696E2F68797065727676737364002D6E
type=PATH msg=audit(1516748966.175:15729004): item=0 name="/nfsdata/sftpprod" objtype=UNKNOWN
type=CWD msg=audit(1516748966.175:15729004):  cwd="/"
type=SYSCALL msg=audit(1516748966.175:15729004): arch=c000003e syscall=2 success=no exit=-13 a0=55bf9d9f525a a1=0 a2=0 a3=1e items=1 ppid=1 pid=189725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hypervvssd" exe="/usr/sbin/hypervvssd" subj=system_u:system_r:hypervvssd_t:s0 key=(null)
type=AVC msg=audit(1516748966.175:15729004): avc:  denied  { dac_read_search } for  pid=189725 comm="hypervvssd" capability=2  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability
type=AVC msg=audit(1516748966.175:15729004): avc:  denied  { dac_override } for  pid=189725 comm="hypervvssd" capability=1  scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:system_r:hypervvssd_t:s0 tclass=capability

Comment 2 Milos Malik 2018-01-30 11:33:53 UTC
Could you run following commands and attach here the output?

# ls -l /nfsdata/sftpprod
# ls -dZ /nfsdata/sftpprod

Comment 3 Chris Cheney 2018-01-30 16:04:43 UTC
The -Z output is the following, I'll have to check for the other:

drwxr-xr-x. sftpprod sftpprod system_u:object_r:default_t:s0   sftpprod

Comment 11 errata-xmlrpc 2018-10-30 10:02:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.