Description of problem: On RHEL 6.3 hypervisor, We saw selinux preventing qemu-kvm getattr access while starting VMs from RHEV-M hosted on RHS storage domain. We were able to start VMs successfully though. Version-Release number of selected component (if applicable): # rpm -qa | grep vdsm vdsm-bootstrap-4.9.6-38.0.el6_3.noarch vdsm-4.9.6-38.0.el6_3.x86_64 vdsm-python-4.9.6-38.0.el6_3.x86_64 vdsm-cli-4.9.6-38.0.el6_3.noarch # getsebool -a | grep fusefs samba_share_fusefs --> off sanlock_use_fusefs --> on use_fusefs_home_dirs --> off virt_use_fusefs --> on # rpm -qa | grep -i selinux libselinux-python-2.0.94-5.3.el6.x86_64 selinux-policy-3.7.19-155.el6_3.6.noarch libselinux-2.0.94-5.3.el6.x86_64 selinux-policy-targeted-3.7.19-155.el6_3.6.noarch libselinux-utils-2.0.94-5.3.el6.x86_64 How reproducible: Consistently Steps to Reproduce: 1. Start a VM hosted on RHS storage domain 2. 3. Actual results: In audit.log type=AVC msg=audit(1350997078.489:855): avc: denied { getattr } for pid=10844 comm="qemu-kvm" name="/" dev=fuse ino=1 scontext=system_u:system_r:svirt_t:s0:c117,c899 tcontext=system_u:object_r:fusefs_t:s0 tclass=filesystem Additional info: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted --- sealert -a /var/log/audit/audit.log SELinux is preventing /usr/libexec/qemu-kvm from getattr access on the filesystem /. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that qemu-kvm should be allowed getattr access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
It needs to be fixed. I am backporting all fixes related to virt_use_* booleans.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html