Hide Forgot
Description of problem: qemu-kvm should be allowed getattr access on the sanlock filesystem by default. Version-Release number of selected component (if applicable): qemu-kvm-0.12.1.2-2.209.el6 libvirt-lock-sanlock-0.9.4-23.el6 selinux-policy-3.7.19-126.el6 How reproducible: always Steps to Reproduce: 1. following this link: http://fedoraproject.org/wiki/Features/VirtLockManager (see 'Dual host testing' section) 2. and enable the following selinux booleans: virt_use_nfs --> on virt_use_sanlock --> on Actual results: "AVC" error in /var/log/audit/audit.log. Expected results: allow qemu-kvm getattr access on the sanlock filesystem. Additional Information: Source Context system_u:system_r:svirt_t:s0:c451,c888 Target Context system_u:object_r:nfs_t:s0 Target Objects /var/lib/libvirt/sanlock [ filesystem ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host localhost.localdomain Source RPM Packages qemu-kvm-0.12.1.2-2.209.el6 Target RPM Packages libvirt-lock-sanlock-0.9.4-23.el6 Policy RPM selinux-policy-3.7.19-126.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 Alert Count 1 First Seen Thu 17 Nov 2011 03:23:51 PM CST Last Seen Thu 17 Nov 2011 03:23:51 PM CST Local ID 8ccfe6a3-6d4e-4efb-8988-4702cbb35f92 Raw Audit Messages type=AVC msg=audit(1321514631.952:90362): avc: denied { getattr } for pid=23083 comm="qemu-kvm" name="/" dev=0:1e ino=1703968 scontext=system_u:system_r:svirt_t:s0:c451,c888 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1321514631.952:90362): arch=x86_64 syscall=fstatfs success=no exit=EACCES a0=7 a1=7fff3771b0a0 a2=2 a3=ffffffffffffff0e items=0 ppid=1 pid=23083 auid=0 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=168 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c451,c888 key=(null) Hash: qemu-kvm,svirt_t,nfs_t,filesystem,getattr audit2allow #============= svirt_t ============== #!!!! This avc is allowed in the current policy allow svirt_t nfs_t:filesystem getattr; audit2allow -R #============= svirt_t ============== #!!!! This avc is allowed in the current policy allow svirt_t nfs_t:filesystem getattr;
I don't think this is really related to sanlock. It just looks like regular NFS disk access from the guest.
Right these AVC's are being allowed in the current policy #============= svirt_t ============== #!!!! This avc is allowed in the current policy allow svirt_t nfs_t:filesystem getattr; Did you turn on the virt_use_nfs and then report the bug?
(In reply to comment #1) > I don't think this is really related to sanlock. It just looks like regular NFS > disk access from the guest. Yeah, it's just a nfs selinux issue when I try lock manager testing on NFS scenario, '/var/lib/libvirt/sanlock' is a shared directory by chance, so the bug summary includes it, it probably misunderstand you or others.
(In reply to comment #2) > > Did you turn on the virt_use_nfs and then report the bug? Daniel, yeah, you're right, I just double check this issue, I indeed turn on virt_use_nfs selinux booleans, however, this AVC denied is a history record before turning on virt_use_nfs, so virt_use_nfs works well, thanks for your comment.