Bug 751385 - SELinux error (setattr) for VM/KVM universe jobs (RHEL5 only)
SELinux error (setattr) for VM/KVM universe jobs (RHEL5 only)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
unspecified Severity medium
: rc
: 5.8
Assigned To: Miroslav Grepl
Luigi Toscano
:
Depends On:
Blocks: 435010 750818
  Show dependency treegraph
 
Reported: 2011-11-04 11:00 EDT by Matthew Farrellee
Modified: 2013-01-07 22:31 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-329.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 750818
Environment:
Last Closed: 2013-01-07 22:31:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Matthew Farrellee 2011-11-04 11:00:48 EDT
+++ This bug was initially created as a clone of Bug #750818 +++

Description of problem:
When condor-vm-gahp runs a KVM/VM job, the following error can be seen in /var/log/message:

SELinux is preventing condor_vm-gahp (initrc_t) "setattr" to ./testvm.img (svirt_image_t). For complete SELinux messages. run sealert -l e57ca993-1ff2-45c2-bd24-ae2a0d7e573e

--------------------------------------------
Excerpts from the output of sealert:

host=... type=AVC msg=audit(1320237390.206:506): avc:  denied  { setattr } for  pid=675 comm="condor_vm-gahp" name="testvm.img" dev=dm-0 ino=4751773 scontext=root:system_r:initrc_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c242,c576 tclass=file

host=... type=SYSCALL msg=audit(1320237390.206:506): arch=c000003e syscall=132 success=no exit=-13 a0=1cf42840 a1=7fffac450580 a2=0 a3=ea items=0 ppid=672 pid=675 auid=0 uid=0 gid=0 euid=64 suid=0 fsuid=64 egid=64 sgid=0 fsgid=64 tty=(none) ses=5 comm="condor_vm-gahp" exe="/usr/sbin/condor_vm-gahp" subj=root:system_r:initrc_t:s0 key=(null)


The job is successfully executed despite the error.

Job file:

---------------
Universe=vm
Executable=testvm
Log=$(cluster).vm.log
VM_TYPE=kvm
VM_MEMORY=768
VM_DISK=/var/lib/libvirt/images/testvm.img:vda:w
Queue

---------------

# ls -Z /var/lib/libvirt/images/testvm.img 
-rwxr-xr-x  root root system_u:object_r:svirt_image_t:s0:c242,c576 /var/lib/libvirt/images/testvm.img

("restorecon -vF /var/lib/libvirt/images/testvm.img" was also executed but it did not change anything).

The error can be seen on RHEL5.x (5.7) only, not on RHEL 6.2.

Version-Release number of selected component (if applicable):
condor-7.6.5-0.4
condor-classads-7.6.5-0.4
condor-vm-gahp-7.6.5-0.4

--- Additional comment from ltoscano@redhat.com on 2011-11-02 08:57:23 EDT ---

Created attachment 531347 [details]
Output from selinux -l <id>
Comment 9 RHEL Product and Program Management 2012-01-09 09:45:30 EST
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.8 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.
Comment 11 RHEL Product and Program Management 2012-04-02 07:22:52 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 20 Miroslav Grepl 2012-07-16 04:21:03 EDT
I labeled condor_vm-gahp as virtd_exec_t which we have in RHEL6.
Comment 25 errata-xmlrpc 2013-01-07 22:31:17 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.