Hide Forgot
Description of problem: [root@qeblade31 deltacloud-core]# ausearch -m avc ---- time->Fri Feb 24 09:53:43 2012 type=SYSCALL msg=audit(1330095223.159:148891): arch=c000003e syscall=59 success=yes exit=0 a0=1daf980 a1=1daef30 a2=1dafe40 a3=7fffde78a7f0 items=0 ppid=7386 pid=7421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1330095223.159:148891): avc: denied { read } for pid=7421 comm="qemu-kvm" path="/var/log/imagefactory.log-stderr_debug" dev=sda2 ino=57254938 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_log_t:s0 tclass=file type=AVC msg=audit(1330095223.159:148891): avc: denied { read } for pid=7421 comm="qemu-kvm" path="/var/log/imagefactory.log-stderr_debug" dev=sda2 ino=57254938 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_log_t:s0 tclass=file ---- time->Fri Feb 24 09:53:43 2012 type=SYSCALL msg=audit(1330095223.174:148892): arch=c000003e syscall=59 success=yes exit=0 a0=ef2ac0 a1=ef1f40 a2=ef2f50 a3=7fff31e0fa20 items=0 ppid=7422 pid=7423 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1330095223.174:148892): avc: denied { read } for pid=7423 comm="qemu-kvm" path="/var/log/imagefactory.log-stderr_debug" dev=sda2 ino=57254938 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_log_t:s0 tclass=file ---- [root@qeblade31 deltacloud-core]# rpm -qa | grep imagefactory imagefactory-jeosconf-ec2-fedora-1.0.0rc6-1.el6.noarch imagefactory-1.0.0rc6-1.el6.noarch imagefactory-jeosconf-ec2-rhel-1.0.0rc6-1.el6.noarch rubygem-imagefactory-console-0.4.0-1.el6.noarch [root@qeblade31 deltacloud-core]#
So, we are redirecting stdin, stdout and stderr to that file descriptor _if_ debug mode is enabled. This is something we added here: https://github.com/aeolusproject/imagefactory/commit/f450df7ba50423398301c5b138b031cd2d0c27b5 We added this to allow for optional/additional debug output, particularly for beta users who encounter issues. In this particular case, it seems that a qemu-kvm child process resulting from our use of libvirt or libguestfs is trying to read stdin and getting a denial. This will _only_ happen if the --debug flag is used. I'd say this is a benign error, since normally that read would fail entirely, as stdin doesn't exist when we daemoninze in the "traditional" way. In the longer term, it would be nice to fix this, possibly by having stdin attached to /dev/null. I suspect this also means that stderr output from subprocesses won't be available to us in the debug file, which we should also fix at some point. Am suggesting we flag as 1.1.0 and just be mindful of the fact that if we want full stderr debug output when diagnosing a problem, we may need to disable SELinux during a reproducer. (Again, all in the context of chasing a bug, not normal operation.)
> jlaska: hewbrocca: imcleod: so if I understand correctly, this AVC is generated during an atypical use case (adding --debug flag), and doesn't appear to prevent/lose any functionality > imcleod: jlaska: that is correct. I saw the same errors when debugging a rhev-m push failure yesterday. (The errors were unrelated to the push failure and must have occurred during the build phase in any case, since that is when we use libvirt and libguestfs.) They do not seem to prevent qemu-kvm from doing its job. > imcleod: jlaska: I can make them go away by removing what I believe will be a valuable debug tool, which I would prefer not to do. > jlaska: weshay: so you okay with de-escalating to 1.1.0 based on the information imcleod supplied? > weshay: jlaska, will get back to you.. not sure if I want to push to 1.1 Based on that information, it doesn't seem like an AVC generated from a debugging tool should block Beta#2. I'll defer to Wes who initially escalated the bug for a decision on whether it is safe to defer this to post-1.0, or aim for something pre-release.
Suggest consideration of this one for 1.0.z I'll check with folks about that. Otherwise we'll leave for 1.1.
let's retest this one with the... __upstream_imagefactory___ ...and see if any denials happen
Closing as part of general cleanup of older CloudForms related bugs. Per the comments above, this is a benign error. It does not stop execution of the factory related processes and occurs only when running in daemon mode and with --debug enabled.