Hide Forgot
Description of problem: SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /var/run/sanlock/sanlock.sock. Version-Release number of selected component (if applicable): # uname -r 2.6.32-193.el6.x86_64 # rpm -qa|grep selinux libselinux-2.0.94-5.1.el6.x86_64 selinux-policy-targeted-3.7.19-109.el6.noarch libselinux-utils-2.0.94-5.1.el6.x86_64 libselinux-devel-2.0.94-5.1.el6.x86_64 libselinux-python-2.0.94-5.1.el6.x86_64 selinux-policy-3.7.19-109.el6.noarch How reproducible: always. Steps to Reproduce: 1. please refer to https://bugzilla.redhat.com/show_bug.cgi?id=735442 2. 3. Actual results: type=AVC msg=audit(1315970963.788:47623): avc: denied { connectto } for pid=30081 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c525,c976 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket Expected results: allow libvirt to access /var/run/sanlock/sanlock.sock file. Additional info: SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /var/run/sanlock/sanlock.sock. Additional Information: Source Context system_u:system_r:svirt_t:s0:c525,c976 Target Context unconfined_u:system_r:sanlock_t:s0 Target Objects /var/run/sanlock/sanlock.sock [ unix_stream_socket ] Source libvirtd Source Path /usr/sbin/libvirtd Port <Unknown> Host localhost.localdomain Source RPM Packages libvirt-0.9.4-11.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-109.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.32-193.el6.x86_64 #1 SMP Mon Aug 29 11:19:20 EDT 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 14 Sep 2011 11:29:23 AM CST Last Seen Wed 14 Sep 2011 11:29:23 AM CST Local ID 047cc8ae-1acb-4685-858c-9bcb0e119c7f Raw Audit Messages type=AVC msg=audit(1315970963.788:47623): avc: denied { connectto } for pid=30081 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c525,c976 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1315970963.788:47623): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7f69615dba30 a2=6e a3=fffffff4 items=0 ppid=1 pid=30081 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=libvirtd exe=/usr/sbin/libvirtd subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) Hash: libvirtd,svirt_t,sanlock_t,unix_stream_socket,connectto audit2allow #============= svirt_t ============== allow svirt_t sanlock_t:unix_stream_socket connectto; audit2allow -R #============= svirt_t ============== allow svirt_t sanlock_t:unix_stream_socket connectto;
I would add a new boolean optional_policy(` tunable_policy(`virt_use_sanlock',` sanlock_stream_connect(svirt_t) ') ') I see there is also type=AVC msg=audit(1315969550.576:47483): avc: denied { kill } for pid=28772 comm="sanlock" capability=5 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=capability
Looks good to me.
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=738529.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html