Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1753535

Summary: Permission denied error with Posix Ceph backend
Product: Red Hat Enterprise Linux 8 Reporter: gaojianan <jgao>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.0CC: 754267513, bugs, bzlotnik, chhu, dyuan, ebenahar, eshenitz, hannsj_uhl, hhan, jgao, lsvaty, lvrabec, mmalik, mst, plautrba, shalygin.k, ssekidde, tnisan, toneata, xuzhang, yafu, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1558836 Environment:
Last Closed: 2020-06-01 12:25:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1558836    
Bug Blocks: 1653106, 1672178    

Comment 1 Han Han 2019-09-19 09:33:24 UTC 
Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of this deny issue in audit log or related selinux log in /var/log/messages
Comment 3 gaojianan 2019-09-19 10:18:48 UTC 
(In reply to Han Han from comment #1)
> Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of
> this deny issue in audit log or related selinux log in /var/log/messages

Version info:
libvirt-daemon-5.0.0-12.module+el8.0.1+3755+6782b0ed.x86_64
qemu-kvm-3.1.0-30.module+el8.0.1+3755+6782b0ed.x86_64
selinux-policy-3.14.1-61.el8_0.2.noarch

Log in audit.log:
type=AVC msg=audit(1568880126.774:1360): avc:  denied  { read } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1360): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=564e92e2b460 a2=80800 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1360): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1361): avc:  denied  { getattr } for  pid=21640 comm="qemu-kvm" path="/mnt/cephfs/qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1361): arch=c000003e syscall=4 success=no exit=-13 a0=564e92e2b460 a1=7ffd1c622f20 a2=7ffd1c622f20 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=stat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1361): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1362): avc:  denied  { read write } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0


And this issue only can be reproduced in RHEL8.0.1,there is no problem in RHEL8.1.0
Version info for 8.1.0:
libvirt-5.6.0-4.module+el8.1.0+4160+b50057dc.x86_64
qemu-kvm-4.1.0-9.module+el8.1.0+4210+23b2046a.x86_64
selinux-policy-3.14.3-19.el8.noarch
Comment 15 Konstantin Shalygin 2020-05-28 07:39:59 UTC 
Fix for EL7 is also needed.
Comment 16 Zdenek Pytela 2020-05-28 16:13:30 UTC 
Konstantin,

The next RHEL 7 minor release will be in Maintenance Support 2 Phase, so business justification meeting the requirements is a requisite.

If you believe your request qualifies, please open a support case.
Comment 17 gaojianan 2020-06-01 01:48:50 UTC 
Since we don't have business justification for Z-stream, i think it's ok to close this bz CURRENTRELEASE.
Comment 18 Zdenek Pytela 2020-06-01 12:25:08 UTC 
As current supported versions were confirmed working, closing CURRENTRELEASE. Feel free to create a new bz in case of outstanding issue.