Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 751385

Summary: SELinux error (setattr) for VM/KVM universe jobs (RHEL5 only)
Product: Red Hat Enterprise Linux 5 Reporter: Matthew Farrellee <matt>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Luigi Toscano <ltoscano>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.6CC: dwalsh, iboverma, ksrot, ltoscano, matt, mmalik, tstclair
Target Milestone: rc   
Target Release: 5.8   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-329.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 750818 Environment:
Last Closed: 2013-01-08 03:31:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 435010, 750818    

Description Matthew Farrellee 2011-11-04 15:00:48 UTC 
+++ This bug was initially created as a clone of Bug #750818 +++

Description of problem:
When condor-vm-gahp runs a KVM/VM job, the following error can be seen in /var/log/message:

SELinux is preventing condor_vm-gahp (initrc_t) "setattr" to ./testvm.img (svirt_image_t). For complete SELinux messages. run sealert -l e57ca993-1ff2-45c2-bd24-ae2a0d7e573e

--------------------------------------------
Excerpts from the output of sealert:

host=... type=AVC msg=audit(1320237390.206:506): avc:  denied  { setattr } for  pid=675 comm="condor_vm-gahp" name="testvm.img" dev=dm-0 ino=4751773 scontext=root:system_r:initrc_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c242,c576 tclass=file

host=... type=SYSCALL msg=audit(1320237390.206:506): arch=c000003e syscall=132 success=no exit=-13 a0=1cf42840 a1=7fffac450580 a2=0 a3=ea items=0 ppid=672 pid=675 auid=0 uid=0 gid=0 euid=64 suid=0 fsuid=64 egid=64 sgid=0 fsgid=64 tty=(none) ses=5 comm="condor_vm-gahp" exe="/usr/sbin/condor_vm-gahp" subj=root:system_r:initrc_t:s0 key=(null)


The job is successfully executed despite the error.

Job file:

---------------
Universe=vm
Executable=testvm
Log=$(cluster).vm.log
VM_TYPE=kvm
VM_MEMORY=768
VM_DISK=/var/lib/libvirt/images/testvm.img:vda:w
Queue

---------------

# ls -Z /var/lib/libvirt/images/testvm.img 
-rwxr-xr-x  root root system_u:object_r:svirt_image_t:s0:c242,c576 /var/lib/libvirt/images/testvm.img

("restorecon -vF /var/lib/libvirt/images/testvm.img" was also executed but it did not change anything).

The error can be seen on RHEL5.x (5.7) only, not on RHEL 6.2.

Version-Release number of selected component (if applicable):
condor-7.6.5-0.4
condor-classads-7.6.5-0.4
condor-vm-gahp-7.6.5-0.4

--- Additional comment from ltoscano on 2011-11-02 08:57:23 EDT ---

Created attachment 531347 [details]
Output from selinux -l <id>
Comment 9 RHEL Program Management 2012-01-09 14:45:30 UTC 
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.8 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.
Comment 11 RHEL Program Management 2012-04-02 11:22:52 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 20 Miroslav Grepl 2012-07-16 08:21:03 UTC 
I labeled condor_vm-gahp as virtd_exec_t which we have in RHEL6.
Comment 25 errata-xmlrpc 2013-01-08 03:31:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html