Hide Forgot
Description of problem: virt-sanlock-cleanup command can be successfully executed, however, the sanlock daemon will release the lease due to selinux issue. In fact, virt-sanlock-cleanup will call 'sanlock client command -r' command. Version-Release number of selected component (if applicable): # uname -r 2.6.32-193.el6.x86_64 # rpm -q libvirt libvirt-0.9.4-11.el6.x86_64 # rpm -q libvirt-lock-sanlock libvirt-lock-sanlock-0.9.4-11.el6.x86_64 (virt-sanlock-cleanup) # rpm -q sanlock sanlock-1.7-4.el6.x86_64 # rpm -q selinux-policy selinux-policy-3.7.19-109.el6.noarch How reproducible: Always. Steps to Reproduce: 1. please refer to Comment 7 from bug 735442(to generate lease file) # ll -aZ /var/lib/libvirt/sanlock drwx------. root root system_u:object_r:virt_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:virt_var_lib_t:s0 .. -rw-------. root root unconfined_u:object_r:virt_var_lib_t:s0 9ba8f0215a51a6dc0aa077c427b749c8 -rw-------. root root unconfined_u:object_r:virt_var_lib_t:s0 __LIBVIRT__DISKS__ 2. run virt-sanlock-cleanup 3. grep AVC /var/log/audit/audit.log Actual results: # grep AVC /var/log/audit/audit.log |tail -4 type=AVC msg=audit(1316063927.519:48994): avc: denied { search } for pid=25420 comm="sanlock" name="libvirt" dev=sda9 ino=3015123 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir type=AVC msg=audit(1316063927.519:48994): avc: denied { read write } for pid=25420 comm="sanlock" name="9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file type=AVC msg=audit(1316063927.519:48994): avc: denied { open } for pid=25420 comm="sanlock" name="9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file type=AVC msg=audit(1316063927.519:48995): avc: denied { getattr } for pid=25420 comm="sanlock" path="/var/lib/libvirt/sanlock/9ba8f0215a51a6dc0aa077c427b749c8" dev=sda9 ino=131283 scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file Expected results: Fix it. Additional info:
Does it work if you execute # grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock # semodule -i sanlock.pp
# grep sanlock /var/log/audit/audit.log |audit2allow -M sanlock ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i sanlock.pp [root@localhost ~]# semodule -i sanlock.pp libsepol.print_missing_requirements: sanlock's global requirements were not met: type/attribute sanlock_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Alex
You can not name a package with the same name as the module. Miroslav meant to say. # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock # semodule -i mysanlock.pp
(In reply to comment #3) > You can not name a package with the same name as the module. > > Miroslav meant to say. > > # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock > # semodule -i mysanlock.pp Yeah, sanlock works well now based on above steps, Daniel, thanks for your comment. Alex
Oops, my bad. This should be fixed in the latest -111.el6 policy release which is available from brew for testing.
The above issues have been resolved on selinux-policy-3.7.19-112.el6.noarch, but I met another issue when I create or destroy a guest, for details, please refer to https://bugzilla.redhat.com/show_bug.cgi?id=735442. When I tried the following operations, I met bug 738188 again, maybe I shouldn't do this: # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock # semodule -i mysanlock.pp # virsh create /root/demo1.xml Domain demo1 created from /root/demo1.xml # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317200388.275:103): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process # virsh destroy demo1 Domain demo1 destroyed # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317200388.275:103): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process type=AVC msg=audit(1317200460.170:128): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process # grep sanlock /var/log/audit/audit.log |audit2allow -M mysanlock ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mysanlock.pp # semodule -i mysanlock.pp # virsh create /root/demo1.xml error: Failed to create domain from /root/demo1.xml error: internal error Failed to open socket to sanlock daemon: Operation not permitted # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1317200388.275:103): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c940,c997 tclass=process type=AVC msg=audit(1317200460.170:128): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c115,c277 tclass=process type=AVC msg=audit(1317201002.861:176): avc: denied { connectto } for pid=19911 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c381,c588 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket Additional information: SELinux is preventing /usr/sbin/sanlock from using the sigkill access on a process. Additional Information: Source Context unconfined_u:system_r:sanlock_t:s0 Target Context system_u:system_r:svirt_t:s0:c555,c634 Target Objects Unknown [ process ] Source sanlock Source Path /usr/sbin/sanlock Port <Unknown> Host localhost.localdomain Source RPM Packages sanlock-1.7-4.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-112.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.32-193.el6.x86_64 #1 SMP Mon Aug 29 11:19:20 EDT 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 28 Sep 2011 05:01:33 PM CST Last Seen Wed 28 Sep 2011 05:01:33 PM CST Local ID e0ce778a-e0cc-4505-a62e-69bd5d7dd79a Raw Audit Messages type=AVC msg=audit(1317200493.494:153): avc: denied { sigkill } for pid=19505 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=system_u:system_r:svirt_t:s0:c555,c634 tclass=process type=SYSCALL msg=audit(1317200493.494:153): arch=x86_64 syscall=kill success=yes exit=0 a0=4d33 a1=9 a2=7f5a49920148 a3=1 items=0 ppid=1 pid=19505 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=sanlock exe=/usr/sbin/sanlock subj=unconfined_u:system_r:sanlock_t:s0 key=(null) Hash: sanlock,sanlock_t,svirt_t,process,sigkill audit2allow #============= sanlock_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow sanlock_t svirt_t:process sigkill; audit2allow -R #============= sanlock_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow sanlock_t svirt_t:process sigkill;
Miroslav we need to run sanlock ranged, just like virtd_t. ifdef(`enable_mcs',` init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh) ')
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html