+++ This bug was initially created as a clone of Bug #750818 +++ Description of problem: When condor-vm-gahp runs a KVM/VM job, the following error can be seen in /var/log/message: SELinux is preventing condor_vm-gahp (initrc_t) "setattr" to ./testvm.img (svirt_image_t). For complete SELinux messages. run sealert -l e57ca993-1ff2-45c2-bd24-ae2a0d7e573e -------------------------------------------- Excerpts from the output of sealert: host=... type=AVC msg=audit(1320237390.206:506): avc: denied { setattr } for pid=675 comm="condor_vm-gahp" name="testvm.img" dev=dm-0 ino=4751773 scontext=root:system_r:initrc_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c242,c576 tclass=file host=... type=SYSCALL msg=audit(1320237390.206:506): arch=c000003e syscall=132 success=no exit=-13 a0=1cf42840 a1=7fffac450580 a2=0 a3=ea items=0 ppid=672 pid=675 auid=0 uid=0 gid=0 euid=64 suid=0 fsuid=64 egid=64 sgid=0 fsgid=64 tty=(none) ses=5 comm="condor_vm-gahp" exe="/usr/sbin/condor_vm-gahp" subj=root:system_r:initrc_t:s0 key=(null) The job is successfully executed despite the error. Job file: --------------- Universe=vm Executable=testvm Log=$(cluster).vm.log VM_TYPE=kvm VM_MEMORY=768 VM_DISK=/var/lib/libvirt/images/testvm.img:vda:w Queue --------------- # ls -Z /var/lib/libvirt/images/testvm.img -rwxr-xr-x root root system_u:object_r:svirt_image_t:s0:c242,c576 /var/lib/libvirt/images/testvm.img ("restorecon -vF /var/lib/libvirt/images/testvm.img" was also executed but it did not change anything). The error can be seen on RHEL5.x (5.7) only, not on RHEL 6.2. Version-Release number of selected component (if applicable): condor-7.6.5-0.4 condor-classads-7.6.5-0.4 condor-vm-gahp-7.6.5-0.4 --- Additional comment from ltoscano on 2011-11-02 08:57:23 EDT --- Created attachment 531347 [details] Output from selinux -l <id>
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.8 and Red Hat does not plan to fix this issue the currently developed update. Contact your manager or support representative in case you need to escalate this bug.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
I labeled condor_vm-gahp as virtd_exec_t which we have in RHEL6.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html