Bug 1753535 - Permission denied error with Posix Ceph backend
Summary: Permission denied error with Posix Ceph backend
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1558836
Blocks: 1653106 1672178
TreeView+ depends on / blocked
 
Reported: 2019-09-19 08:49 UTC by gaojianan
Modified: 2020-06-01 12:25 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1558836
Environment:
Last Closed: 2020-06-01 12:25:08 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Comment 1 Han Han 2019-09-19 09:33:24 UTC
Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of this deny issue in audit log or related selinux log in /var/log/messages

Comment 3 gaojianan 2019-09-19 10:18:48 UTC
(In reply to Han Han from comment #1)
> Provide your selinux-policy libvirt qemu-kvm version, upload the avc msg of
> this deny issue in audit log or related selinux log in /var/log/messages

Version info:
libvirt-daemon-5.0.0-12.module+el8.0.1+3755+6782b0ed.x86_64
qemu-kvm-3.1.0-30.module+el8.0.1+3755+6782b0ed.x86_64
selinux-policy-3.14.1-61.el8_0.2.noarch

Log in audit.log:
type=AVC msg=audit(1568880126.774:1360): avc:  denied  { read } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1360): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=564e92e2b460 a2=80800 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1360): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1361): avc:  denied  { getattr } for  pid=21640 comm="qemu-kvm" path="/mnt/cephfs/qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1568880126.774:1361): arch=c000003e syscall=4 success=no exit=-13 a0=564e92e2b460 a1=7ffd1c622f20 a2=7ffd1c622f20 a3=0 items=0 ppid=1 pid=21640 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c267,c657 key=(null)^]ARCH=x86_64 SYSCALL=stat AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
type=PROCTITLE msg=audit(1568880126.774:1361): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F73372E362D6D74382E302C64656275672D746872656164733D6F6E002D53002D6F626A656374007365637265742C69643D6D61737465724B6579302C666F726D61743D7261772C66696C653D2F7661722F6C69622F6C6962766972742F
type=AVC msg=audit(1568880126.774:1362): avc:  denied  { read write } for  pid=21640 comm="qemu-kvm" name="qcow2.img" dev="ceph" ino=1099511627777 scontext=system_u:system_r:svirt_t:s0:c267,c657 tcontext=system_u:object_r:cephfs_t:s0 tclass=file permissive=0


And this issue only can be reproduced in RHEL8.0.1,there is no problem in RHEL8.1.0
Version info for 8.1.0:
libvirt-5.6.0-4.module+el8.1.0+4160+b50057dc.x86_64
qemu-kvm-4.1.0-9.module+el8.1.0+4210+23b2046a.x86_64
selinux-policy-3.14.3-19.el8.noarch

Comment 15 Konstantin Shalygin 2020-05-28 07:39:59 UTC
Fix for EL7 is also needed.

Comment 16 Zdenek Pytela 2020-05-28 16:13:30 UTC
Konstantin,

The next RHEL 7 minor release will be in Maintenance Support 2 Phase, so business justification meeting the requirements is a requisite.

If you believe your request qualifies, please open a support case.

Comment 17 gaojianan 2020-06-01 01:48:50 UTC
Since we don't have business justification for Z-stream, i think it's ok to close this bz CURRENTRELEASE.

Comment 18 Zdenek Pytela 2020-06-01 12:25:08 UTC
As current supported versions were confirmed working, closing CURRENTRELEASE. Feel free to create a new bz in case of outstanding issue.


Note You need to log in before you can comment on or make changes to this bug.