Bug 452103 - libvirt-0.4.3 needs set/getsched
libvirt-0.4.3 needs set/getsched
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-19 08:39 EDT by Alan Pevec
Modified: 2008-11-17 17:04 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:04:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Compled SELinux policy module for libvirt-0.4.3-1 (1016 bytes, application/octet-stream)
2008-06-20 04:02 EDT, Alan Pevec
no flags Details

  None (edit)
Description Alan Pevec 2008-06-19 08:39:34 EDT
Description of problem:
libvirt-0.4.3 added support for NUMA and vCPU pinning in QEmu
http://git.et.redhat.com/?p=libvirt.git;a=commit;h=6aaea11636ba5674d30c94b8ff8659736ca78248

running with SELinux enabled gives:
avc: denied { getsched } for pid=6231 comm="libvirtd"
scontext=unconfined_u:system_r:virtd_t:s0
tcontext=unconfined_u:system_r:virtd_t:s0 tclass=process 

avc: denied { setsched } for pid=6231 comm="libvirtd"
scontext=unconfined_u:system_r:virtd_t:s0
tcontext=unconfined_u:system_r:qemu_t:s0 tclass=process

Version-Release number of selected component (if applicable):
libvirt-0.4.3-1
selinux-policy-targeted-3.3.1-64

How reproducible:
always

Steps to Reproduce:
1. setenforce 1
2. virsh start node3 (for example)
3.
  
Actual results:
libvir: QEMU error : internal error failed to set CPU affinity Permission denied

error: Failed to start domain node3



Expected results:
Domain node3 started



Additional info:
Comment 1 Alan Pevec 2008-06-20 04:02:27 EDT
Created attachment 309910 [details]
Compled SELinux policy module for libvirt-0.4.3-1

audit2allow generated SELinux policy module:

module libvirt043 1.0;
require {
	type virtd_t;
	type qemu_t;
	class process { setsched getsched };
}
#============= virtd_t ==============
allow virtd_t qemu_t:process setsched;
allow virtd_t self:process getsched;

Attached is compiled module which you can install with:
semodule -i libvirt043.pp
Comment 2 Daniel Walsh 2008-06-22 06:53:30 EDT
Fixed in selinux-policy-3.3.1-68.fc9.noarch
Comment 3 Daniel Walsh 2008-11-17 17:04:42 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.