RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1753535 - Permission denied error with Posix Ceph backend
Summary: Permission denied error with Posix Ceph backend
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1558836
Blocks: 1653106 1672178
TreeView+ depends on / blocked
 
Reported: 2019-09-19 08:49 UTC by gaojianan
Modified: 2020-11-09 15:51 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1558836
Environment:
Last Closed: 2020-06-01 12:25:08 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 1 Han Han 2019-09-19 09:33:24 UTC 
Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of this deny issue in audit log or related selinux log in /var/log/messages
Comment 3 gaojianan 2019-09-19 10:18:48 UTC 
(In reply to Han Han from comment #1)
> Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of
> this deny issue in audit log or related selinux log in /var/log/messages

Version info:
libvirt-daemon-5.0.0-12.module+el8.0.1+3755+6782b0ed.x86_64
qemu-kvm-3.1.0-30.module+el8.0.1+3755+6782b0ed.x86_64
selinux-policy-3.14.1-61.el8_0.2.noarch

Log in audit.log:
type=AVC msg=audit(1568880126.774:1360): avc:  denied  { read } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1360): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=564e92e2b460 a2=80800 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1360): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1361): avc:  denied  { getattr } for  pid=21640 comm="qemu-kvm" path="/mnt/cephfs/qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1361): arch=c000003e syscall=4 success=no exit=-13 a0=564e92e2b460 a1=7ffd1c622f20 a2=7ffd1c622f20 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=stat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1361): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1362): avc:  denied  { read write } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0


And this issue only can be reproduced in RHEL8.0.1,there is no problem in RHEL8.1.0
Version info for 8.1.0:
libvirt-5.6.0-4.module+el8.1.0+4160+b50057dc.x86_64
qemu-kvm-4.1.0-9.module+el8.1.0+4210+23b2046a.x86_64
selinux-policy-3.14.3-19.el8.noarch
Comment 15 Konstantin Shalygin 2020-05-28 07:39:59 UTC 
Fix for EL7 is also needed.
Comment 16 Zdenek Pytela 2020-05-28 16:13:30 UTC 
Konstantin,

The next RHEL 7 minor release will be in Maintenance Support 2 Phase, so business justification meeting the requirements is a requisite.

If you believe your request qualifies, please open a support case.
Comment 17 gaojianan 2020-06-01 01:48:50 UTC 
Since we don't have business justification for Z-stream, i think it's ok to close this bz CURRENTRELEASE.
Comment 18 Zdenek Pytela 2020-06-01 12:25:08 UTC 
As current supported versions were confirmed working, closing CURRENTRELEASE. Feel free to create a new bz in case of outstanding issue.
Note You need to log in before you can comment on or make changes to this bug.