Bug 751385 - SELinux error (setattr) for VM/KVM universe jobs (RHEL5 only)
Summary: SELinux error (setattr) for VM/KVM universe jobs (RHEL5 only)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 5.8
Assignee: Miroslav Grepl
QA Contact: Luigi Toscano
URL:
Whiteboard:
Depends On:
Blocks: 435010 750818
TreeView+ depends on / blocked
 
Reported: 2011-11-04 15:00 UTC by Matthew Farrellee
Modified: 2013-01-08 03:31 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-2.4.6-329.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 750818
Environment:
Last Closed: 2013-01-08 03:31:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 08:27:19 UTC

Description Matthew Farrellee 2011-11-04 15:00:48 UTC
+++ This bug was initially created as a clone of Bug #750818 +++

Description of problem:
When condor-vm-gahp runs a KVM/VM job, the following error can be seen in /var/log/message:

SELinux is preventing condor_vm-gahp (initrc_t) "setattr" to ./testvm.img (svirt_image_t). For complete SELinux messages. run sealert -l e57ca993-1ff2-45c2-bd24-ae2a0d7e573e

--------------------------------------------
Excerpts from the output of sealert:

host=... type=AVC msg=audit(1320237390.206:506): avc:  denied  { setattr } for  pid=675 comm="condor_vm-gahp" name="testvm.img" dev=dm-0 ino=4751773 scontext=root:system_r:initrc_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c242,c576 tclass=file

host=... type=SYSCALL msg=audit(1320237390.206:506): arch=c000003e syscall=132 success=no exit=-13 a0=1cf42840 a1=7fffac450580 a2=0 a3=ea items=0 ppid=672 pid=675 auid=0 uid=0 gid=0 euid=64 suid=0 fsuid=64 egid=64 sgid=0 fsgid=64 tty=(none) ses=5 comm="condor_vm-gahp" exe="/usr/sbin/condor_vm-gahp" subj=root:system_r:initrc_t:s0 key=(null)


The job is successfully executed despite the error.

Job file:

---------------
Universe=vm
Executable=testvm
Log=$(cluster).vm.log
VM_TYPE=kvm
VM_MEMORY=768
VM_DISK=/var/lib/libvirt/images/testvm.img:vda:w
Queue

---------------

# ls -Z /var/lib/libvirt/images/testvm.img 
-rwxr-xr-x  root root system_u:object_r:svirt_image_t:s0:c242,c576 /var/lib/libvirt/images/testvm.img

("restorecon -vF /var/lib/libvirt/images/testvm.img" was also executed but it did not change anything).

The error can be seen on RHEL5.x (5.7) only, not on RHEL 6.2.

Version-Release number of selected component (if applicable):
condor-7.6.5-0.4
condor-classads-7.6.5-0.4
condor-vm-gahp-7.6.5-0.4

--- Additional comment from ltoscano@redhat.com on 2011-11-02 08:57:23 EDT ---

Created attachment 531347 [details]
Output from selinux -l <id>

Comment 9 RHEL Product and Program Management 2012-01-09 14:45:30 UTC
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.8 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.

Comment 11 RHEL Product and Program Management 2012-04-02 11:22:52 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 20 Miroslav Grepl 2012-07-16 08:21:03 UTC
I labeled condor_vm-gahp as virtd_exec_t which we have in RHEL6.

Comment 25 errata-xmlrpc 2013-01-08 03:31:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html


Note You need to log in before you can comment on or make changes to this bug.