+++ This bug was initially created as a clone of Bug #896013 +++ Derek found that there are several new / different AVCs; the primary difference between his installation and where I performed testing is that his occur on x86 VMs --- Additional comment from Lon Hohberger on 2013-02-13 09:42:17 EST --- Created attachment 696818 [details] x86 failures --- Additional comment from Lon Hohberger on 2013-02-13 09:44:08 EST --- audit2allow spat out the following, given the above: #============= svirt_t ============== allow svirt_t nova_var_lib_t:file { read ioctl open getattr }; --- Additional comment from Lon Hohberger on 2013-02-13 09:46:48 EST --- Created attachment 696820 [details] Just the AVC failures --- Additional comment from Lon Hohberger on 2013-02-13 10:07:57 EST --- This is using qemu-system-x86_64, as it is launched within a VM: [root@ps2 ~(keystone_admin)]$ ps -efZ | grep -i qemu unconfined_u:system_r:svirt_t:s0:c96,c669 qemu 26359 1 73 10:01 ? 00:00:25 /usr/bin/qemu-system-x86_64 -name instance-0000000c -S -M rhel6.4.0 -no-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -uuid 310d8061-d96d-4461-9e07-46c10bdef9e8 -smbios type=1,manufacturer=Red Hat,, Inc.,product=Red Hat OpenStack Nova,version=2012.2.2-9.el6ost,serial=8d9c3cd0-140e-41c7-8536-7558161e038d,uuid=310d8061-d96d-4461-9e07-46c10bdef9e8 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-0000000c.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/nova/instances/instance-0000000c/disk,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=25,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:77:37:d1,bus=pci.0,addr=0x3 -chardev file,id=charserial0,path=/var/lib/nova/instances/instance-0000000c/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 192.168.0.36:0 -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 My bare-metal openstack deployment does not exhibit this behavior: system_u:system_r:svirt_t:s0:c300,c621 qemu 15689 1 6 09:58 ? 00:00:29 /usr/libexec/qemu-kvm -name instance-0000000d -S -M rhel6.4.0 -cpu core2duo,+lahf_lm,+dca,+pdcm,+xtpr,+cx16,+tm2,+est,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,-nx -enable-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -uuid 23b53c2a-d411-422e-8b7b-04d019247f7a -smbios type=1,manufacturer=Red Hat,, Inc.,product=Red Hat OpenStack Nova,version=2012.2.2-9.el6ost,serial=44454c4c-4400-1039-8031-b6c04f544331,uuid=23b53c2a-d411-422e-8b7b-04d019247f7a -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-0000000d.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -no-kvm-pit-reinjection -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/nova/instances/instance-0000000d/disk,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=29,id=hostnet0,vhost=on,vhostfd=30 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:6c:ad:57,bus=pci.0,addr=0x3 -chardev file,id=charserial0,path=/var/lib/nova/instances/instance-0000000d/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 10.16.60.37:3 -k en-us -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 --- Additional comment from Lon Hohberger on 2013-02-13 10:09:49 EST --- Could this be the problem? [root@ps2 ~(keystone_admin)]$ ls -lZ /usr/libexec/qemu-kvm -rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/libexec/qemu-kvm [root@ps2 ~(keystone_admin)]$ ls -lZ /usr/bin/qemu-system-x86_64 lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /usr/bin/qemu-system-x86_64 -> /usr/libexec/qemu-kvm --- Additional comment from Daniel Walsh on 2013-02-13 10:11:39 EST --- No SELinux is still transitioning properly. The problem is the target is either mislabeled, IE libvirt did not relabal content in /var/lib/nova/instances Or all virt machines need to be able to read content in /var/lib/nova/instances
Based on those AVCs I have a hard time believing this is at all related to the fact that Nova is running inside a VM. This is simply a labelling problem with directory where the Nova disk images are stored. Nothing about running nested should impact that.
The patch for 896013 / 915349 resolves this.
*** This bug has been marked as a duplicate of bug 915349 ***
Chances are good that there was something non-standard in my environment which is why this bug never appeared for me on bare-metal.