990041 – systemctl reload systemd container fail

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 990041 - systemctl reload systemd container fail

Summary: systemctl reload systemd container fail

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-30 09:52 UTC by Wayne Sun
Modified:	2014-09-30 23:35 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.12.1-116.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:53:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Wayne Sun 2013-07-30 09:52:36 UTC

Description of problem:
using systemctl to reload systemd container fail

Version-Release number of selected component (if applicable):
libvirt-1.1.0-2.el7.x86_64
libvirt-sandbox-0.2.1-1.el7.x86_64
systemd-204-4.el7.x86_64
kernel-3.9.0-0.55.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. create a container
# virt-sandbox-service create -C -u httpd.service -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c45,c20 -N dhcp,source=default testbox
Created sandbox container dir /var/lib/libvirt/filesystems/testbox
Created unit file /etc/systemd/system/testbox_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/testbox.sandbox

2. start container
# systemctl start testbox_sandbox.service
# systemctl status testbox_sandbox.service
testbox_sandbox.service - Secure Sandbox Container testbox
   Loaded: loaded (/etc/systemd/system/testbox_sandbox.service; enabled)
   Active: active (running) since Tue 2013-07-30 17:42:08 CST; 2s ago
 Main PID: 20753 (virt-sandbox-se)
   CGroup: name=systemd:/system/testbox_sandbox.service
           └─20753 virt-sandbox-service-util -c lxc:/// -s testbox

3. reload container
# systemctl reload testbox_sandbox.service
Job for testbox_sandbox.service failed. See 'systemctl status testbox_sandbox.service' and 'journalctl -xn' for details.

# systemctl status testbox_sandbox.service
testbox_sandbox.service - Secure Sandbox Container testbox
   Loaded: loaded (/etc/systemd/system/testbox_sandbox.service; enabled)
   Active: active (running) (Result: exit-code) since Tue 2013-07-30 17:42:08 CST; 5min ago
  Process: 20902 ExecReload=/usr/bin/virt-sandbox-service reload -u httpd.service testbox (code=exited, status=1/FAILURE)
 Main PID: 20753 (virt-sandbox-se)
   CGroup: name=systemd:/system/testbox_sandbox.service
           └─20753 virt-sandbox-service-util -c lxc:/// -s testbox

check log:
# tail /var/log/messages
Jul 30 17:47:42 hp-dl385g7-04 systemd[1]: Reloading Secure Sandbox Container testbox.
Jul 30 17:47:42 hp-dl385g7-04 virt-sandbox-service[20902]: /usr/bin/virt-sandbox-service: Requested unit httpd.service does not exist
Jul 30 17:47:42 hp-dl385g7-04 systemd[1]: testbox_sandbox.service: control process exited, code=exited status=1
Jul 30 17:47:42 hp-dl385g7-04 systemd[1]: Reload failed for Secure Sandbox Container testbox.


Actual results:
fail 

Expected results:
success

Additional info:
using virt-sandbox-service reload will success
# /usr/bin/virt-sandbox-service reload -u httpd.service testbox

# echo $?
0

Comment 2 Wayne Sun 2013-07-30 11:40:55 UTC

problem still exist after update systemd and libvirt to:
systemd-206-1.el7.x86_64
libvirt-1.1.1-1.el7.x86_64

Comment 3 Wayne Sun 2013-08-02 07:56:09 UTC

update packages:
libvirt-1.1.1-1.el7.x86_64
libvirt-sandbox-0.5.0-1.el7.x86_64
systemd-206-2.el7.x86_64

steps:
1. upgrade sandbox
# virt-sandbox-service upgrade testbox
Created unit file /etc/systemd/system/testbox_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/testbox/config/sandbox.cfg

2. start sandbox
# systemctl start testbox_sandbox
# systemctl status testbox_sandbox
testbox_sandbox.service - Secure Sandbox Container testbox
   Loaded: loaded (/etc/systemd/system/testbox_sandbox.service; disabled)
   Active: active (running) since Fri 2013-08-02 15:48:52 CST; 4s ago
 Main PID: 14169 (virt-sandbox-se)
   CGroup: /system/system.slice/testbox_sandbox.service
           └─14169 /usr/libexec/virt-sandbox-service-util -c lxc:/// -s testbox

Aug 02 15:48:52 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: Started Secure Sandbox Container testbox.

# journalctl -xn
-- Logs begin at Mon 2013-05-27 17:36:55 CST, end at Fri 2013-08-02 15:48:55 CST. --
Aug 02 15:48:53 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: [  OK  ] Listening on D-Bus System Message 
Aug 02 15:48:53 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: [  OK  ] Reached target Sockets.
Aug 02 15:48:53 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: [  OK  ] Reached target Timers.
Aug 02 15:48:53 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: [  OK  ] Reached target Basic System.
Aug 02 15:48:53 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: Starting The Apache HTTP Server...
Aug 02 15:48:53 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: Starting Cleanup of Temporary Directories..
Aug 02 15:48:53 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: [  OK  ] Started Cleanup of Temporary Direc
Aug 02 15:48:54 hp-dl385g7-04.qe.lab.eng.nay.redhat.com avahi-daemon[625]: Registering new address record for fe80::84ff:18ff:fe8c:e2
Aug 02 15:48:55 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: [  OK  ] Started The Apache HTTP Server.
Aug 02 15:48:55 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[14169]: [  OK  ] Reached target Sandbox multi-user 

3. reload sandbox
# systemctl reload testbox_sandbox
Job for testbox_sandbox.service failed. See 'systemctl status testbox_sandbox.service' and 'journalctl -xn' for details.

# journalctl -xn
Aug 02 15:50:21 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: Reloading Secure Sandbox Container testbox.
-- Subject: Unit testbox_sandbox.service has begun with reloading its configuration
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/d34d037fff1847e6ae669a370e694725
-- 
-- Unit testbox_sandbox.service has begun with reloading its configuration
Aug 02 15:50:21 hp-dl385g7-04.qe.lab.eng.nay.redhat.com virt-sandbox-service[14248]: /usr/bin/virt-sandbox-service: Requested unit ht
Aug 02 15:50:21 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: testbox_sandbox.service: control process exited, code=exited stat
Aug 02 15:50:21 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: Reload failed for Secure Sandbox Container testbox.
-- Subject: Unit testbox_sandbox.service has finished reloading its configuration
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/7b05ebc668384222baa8881179cfda54
-- 
-- Unit testbox_sandbox.service has finished reloading its configuration
-- 
-- The result is failed.

# systemctl status testbox_sandbox
testbox_sandbox.service - Secure Sandbox Container testbox
   Loaded: loaded (/etc/systemd/system/testbox_sandbox.service; disabled)
   Active: active (running) (Result: exit-code) since Fri 2013-08-02 15:48:52 CST; 4min 27s ago
  Process: 14248 ExecReload=/usr/bin/virt-sandbox-service -c lxc:/// reload -u httpd.service testbox (code=exited, status=1/FAILURE)
 Main PID: 14169 (virt-sandbox-se)
   CGroup: /system/system.slice/testbox_sandbox.service
           └─14169 /usr/libexec/virt-sandbox-service-util -c lxc:/// -s testbox

Aug 02 15:48:52 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: Started Secure Sandbox Container testbox.
Aug 02 15:50:21 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: Reloading Secure Sandbox Container testbox.
Aug 02 15:50:21 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: testbox_sandbox.service: control process exited, code=exit...us=1
Aug 02 15:50:21 hp-dl385g7-04.qe.lab.eng.nay.redhat.com systemd[1]: Reload failed for Secure Sandbox Container testbox.

The container is still running but reload fail.

Comment 4 Daniel Berrangé 2013-08-02 16:50:28 UTC

Running this manually works:

 /usr/bin/virt-sandbox-service -c lxc:/// reload -u httpd.service myhttpd

Running systemctl reload myhttpd_sandbox.service fails, even though it executes the exact same command.

The only difference is SELinux, and indeed I see some AVCs in the logs

type=AVC msg=audit(1375461975.750:48): avc:  denied  { getattr } for  pid=7511 comm="virt-sandbox-se" path="/usr/lib/systemd/system/httpd.service" dev="dm-1" ino=300464 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:httpd_unit_file_t:s0 tclass=file

type=AVC msg=audit(1375461975.782:49): avc:  denied  { execute } for  pid=7511 comm="virt-sandbox-se" name="systemctl" dev="dm-1" ino=163961 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

type=AVC msg=audit(1375461975.901:50): avc:  denied  { read open } for  pid=7514 comm="virsh" path="/usr/bin/systemctl" dev="dm-1" ino=163961 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

type=AVC msg=audit(1375461976.087:51): avc:  denied  { getpgid } for  pid=7180 comm="httpd" scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:system_r:svirt_lxc_net_t:s0 tclass=process


audit2allow suggests

#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t self:process getpgid;

#============= virsh_t ==============
allow virsh_t httpd_unit_file_t:file getattr;
allow virsh_t systemd_systemctl_exec_t:file { read execute open };


The first rule seems reasonable, but not so sure about those virsh_t rules. Is that suggesting the "ExecReload" command is running under a bogus context ?  I wouldn't expect 'virt-sandbox-service' to have transitioned to 'virsh_t' when systemd ran it.

Comment 5 Daniel Berrangé 2013-08-13 16:48:52 UTC

Confirmed, for some reason the SELinux polcy has re-used the virsh_exec_t context for virt-sandbox-service.  IMHO the poliucy needs to define a dedicated domain for this new binary so it can have these greater privileges, without giving them to virsh too.

# ls -alZ /usr/bin/virt-sandbox-service 
-rwxr-xr-x. root root system_u:object_r:virsh_exec_t:s0 /usr/bin/virt-sandbox-service

Comment 6 Daniel Walsh 2013-08-13 22:31:56 UTC

Wayne if you execute 

chcon -t bin_t /usr/bin/virt-sandbox-service

And then attempt the command does it work?

Since virt-sandbox-service no longer does virsh stuff, I am removing the label and allowing it to run in the current domain.

Comment 7 Wayne Sun 2013-08-14 03:15:07 UTC

(In reply to Daniel Walsh from comment #6)
> Wayne if you execute 
> 
> chcon -t bin_t /usr/bin/virt-sandbox-service
> 
> And then attempt the command does it work?
> 
> Since virt-sandbox-service no longer does virsh stuff, I am removing the
> label and allowing it to run in the current domain.

pkgs:
libvirt-sandbox-0.5.0-2.el7.x86_64
libvirt-1.1.1-2.el7.x86_64
kernel-3.10.0-5.el7.x86_64
systemd-206-4.el7.x86_64
selinux-policy-3.12.1-70.el7.noarch

steps:
1. 
# virt-sandbox-service create -C -u httpd.service -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c45,c20 -N dhcp,source=default testbox3
Created sandbox container dir /var/lib/libvirt/filesystems/testbox3
Created unit file /etc/systemd/system/testbox3_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/testbox3/config/sandbox.cfg

2. chcon
# ll -Z /usr/bin/virt-sandbox-service 
-rwxr-xr-x. root root system_u:object_r:virsh_exec_t:s0 /usr/bin/virt-sandbox-service
# chcon -t bin_t /usr/bin/virt-sandbox-service
# ll -Z /usr/bin/virt-sandbox-service 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/virt-sandbox-service

3. start
# systemctl start testbox4_sandbox

# ausearch -m avc -ts today
<no matches>

4. reload
# systemctl reload testbox4_sandbox
Job for testbox4_sandbox.service failed. See 'systemctl status testbox4_sandbox.service' and 'journalctl -xn' for details.

# ausearch -m avc -ts today
----
time->Wed Aug 14 11:09:35 2013
type=SYSCALL msg=audit(1376449775.659:2331): arch=c000003e syscall=59 success=no exit=-13 a0=7fa29c81d110 a1=7fa29c8a0560 a2=7fffdeb931d8 a3=8 items=0 ppid=0 pid=1312 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1376449775.659:2331): avc:  denied  { execute } for  pid=1312 comm="virsh" name="systemctl" dev="sda1" ino=1836883 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

5. use virt-sanbox-service reload
# /usr/bin/virt-sandbox-service -c lxc:/// reload -u httpd.service testbox4

# echo $?
0

# ausearch -m avc -ts today
----
time->Wed Aug 14 11:11:42 2013
type=SYSCALL msg=audit(1376449902.984:2339): arch=c000003e syscall=121 success=no exit=-13 a0=10 a1=a a2=7f5fd57dc020 a3=1 items=0 ppid=1 pid=1298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 key=(null)
type=AVC msg=audit(1376449902.984:2339): avc:  denied  { getpgid } for  pid=1298 comm="httpd" scontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tclass=process
----
time->Wed Aug 14 11:11:42 2013
type=SYSCALL msg=audit(1376449902.984:2340): arch=c000003e syscall=121 success=no exit=-13 a0=11 a1=a a2=7f5fd57dc118 a3=1 items=0 ppid=1 pid=1298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 key=(null)
type=AVC msg=audit(1376449902.984:2340): avc:  denied  { getpgid } for  pid=1298 comm="httpd" scontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tclass=process
----
time->Wed Aug 14 11:11:42 2013
type=SYSCALL msg=audit(1376449902.984:2341): arch=c000003e syscall=121 success=no exit=-13 a0=12 a1=a a2=7f5fd57dc210 a3=1 items=0 ppid=1 pid=1298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 key=(null)
type=AVC msg=audit(1376449902.984:2341): avc:  denied  { getpgid } for  pid=1298 comm="httpd" scontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tclass=process
----
time->Wed Aug 14 11:11:42 2013
type=SYSCALL msg=audit(1376449902.984:2342): arch=c000003e syscall=121 success=no exit=-13 a0=13 a1=a a2=7f5fd57dc308 a3=1 items=0 ppid=1 pid=1298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 key=(null)
type=AVC msg=audit(1376449902.984:2342): avc:  denied  { getpgid } for  pid=1298 comm="httpd" scontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tclass=process
----
time->Wed Aug 14 11:11:42 2013
type=SYSCALL msg=audit(1376449902.984:2343): arch=c000003e syscall=121 success=no exit=-13 a0=14 a1=a a2=7f5fd57dc400 a3=1 items=0 ppid=1 pid=1298 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 key=(null)
type=AVC msg=audit(1376449902.984:2343): avc:  denied  { getpgid } for  pid=1298 comm="httpd" scontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tcontext=system_u:system_r:svirt_lxc_net_t:s0:c20,c45 tclass=process

Comment 8 Daniel Walsh 2013-08-14 12:23:11 UTC

bace37d0ac767688aa0782188054d271f5a57c7c fixes this in git.
Both fixes will be in selinux-policy-3.12.1-71.el7

Comment 9 Wayne Sun 2013-10-08 07:26:07 UTC

pkgs:
libvirt-1.1.1-8.el7.x86_64
libvirt-sandbox-0.5.0-5.el7.x86_64
kernel-3.10.0-9.el7.x86_64
systemd-206-4.el7.x86_64
selinux-policy-3.12.1-86.el7.noarch

steps:
1. check type
# ll -Z /usr/bin/virt-sandbox-service 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/virt-sandbox-service
# restorecon -v /usr/bin/virt-sandbox-service

# ll -Z /usr/bin/virt-sandbox-service 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/virt-sandbox-service

2. start
# virt-sandbox-service create -C -u httpd.service -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c152,c11 -N dhcp,source=default testbox20
Created sandbox container dir /var/lib/libvirt/filesystems/testbox20
Created unit file /etc/systemd/system/testbox20_sandbox.service
Created sandbox config /etc/libvirt-sandbox/services/testbox20/config/sandbox.cfg

# systemctl start testbox20_sandbox

# systemctl status testbox20_sandbox
testbox20_sandbox.service - Secure Sandbox Container testbox20
   Loaded: loaded (/etc/systemd/system/testbox20_sandbox.service; disabled)
   Active: active (running) since Tue 2013-10-08 15:16:41 CST; 4s ago
 Main PID: 1074 (virt-sandbox-se)
   CGroup: /system.slice/testbox20_sandbox.service
           └─1074 /usr/libexec/virt-sandbox-service-util -c lxc:/// -s testbox20

Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target System Initialization.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Listening on D-Bus System Message Bus Socket.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Sockets.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Timers.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Basic System.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: Starting The Apache HTTP Server...
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: Starting Cleanup of Temporary Directories...
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Started Cleanup of Temporary Directories.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Started The Apache HTTP Server.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Sandbox multi-user target.

3. reload
3.1 using virt-sandbox-service
# virt-sandbox-service -c lxc:/// reload -u httpd.service testbox20

# echo $?
0

# systemctl status testbox20_sandbox
testbox20_sandbox.service - Secure Sandbox Container testbox20
   Loaded: loaded (/etc/systemd/system/testbox20_sandbox.service; disabled)
   Active: active (running) since Tue 2013-10-08 15:16:41 CST; 27s ago
 Main PID: 1074 (virt-sandbox-se)
   CGroup: /system.slice/testbox20_sandbox.service
           └─1074 /usr/libexec/virt-sandbox-service-util -c lxc:/// -s testbox20

Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target System Initialization.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Listening on D-Bus System Message Bus Socket.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Sockets.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Timers.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Basic System.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: Starting The Apache HTTP Server...
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: Starting Cleanup of Temporary Directories...
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Started Cleanup of Temporary Directories.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Started The Apache HTTP Server.
Oct 08 15:16:41 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[1074]: [  OK  ] Reached target Sandbox multi-user target.


no avc denial

so, no avc denial as in comment #7 now.

3.2 using systemctl reload
# systemctl reload testbox20_sandbox
Job for testbox20_sandbox.service failed. See 'systemctl status testbox20_sandbox.service' and 'journalctl -xn' for details.

# journalctl -xn
-- Logs begin at Wed 2013-07-31 19:56:06 CST, end at Tue 2013-10-08 15:20:08 CST. --
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.disable_ipv6 previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.sys_module previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.sshd_root previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.restorecon previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.dac_override previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.chrome previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.mozplugger previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.catchall_boolean previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com setroubleshoot[1399]: load_plugins() plugins.allow_ftpd_use_cifs previously imported
Oct 08 15:20:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com python[1399]: SELinux is preventing /usr/bin/systemctl from execute access on the file /usr/bin/systemc
                                                                       
                                                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                                                       
                                                                       If you believe that systemctl should be allowed execute access on the systemctl file by d
                                                                       Then you should report this as a bug.
                                                                       You can generate a local policy module to allow this access.
                                                                       Do
                                                                       allow this access for now by executing:
                                                                       # grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
                                                                       # semodule -i mypol.pp

# vim /var/log/messages
...
Oct  8 15:20:08 ibm-x3850x5-04 setroubleshoot: SELinux is preventing /usr/bin/systemctl from execute access on the file /usr/bin/systemctl. For complete SELinux messages. run sealert -l 896fdd89-9bed-4e82-bd5b-f85ee0b63cb3

# sealert -l 896fdd89-9bed-4e82-bd5b-f85ee0b63cb3
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
SELinux is preventing /usr/bin/systemctl from execute access on the file /usr/bin/systemctl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed execute access on the systemctl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:virsh_t:s0
Target Context                system_u:object_r:systemd_systemctl_exec_t:s0
Target Objects                /usr/bin/systemctl [ file ]
Source                        systemctl
Source Path                   /usr/bin/systemctl
Port                          <Unknown>
Host                          ibm-x3850x5-04.qe.lab.eng.nay.redhat.com
Source RPM Packages           libvirt-client-1.1.1-8.el7.x86_64
Target RPM Packages           systemd-206-4.el7.x86_64
Policy RPM                    selinux-policy-3.12.1-86.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ibm-x3850x5-04.qe.lab.eng.nay.redhat.com
Platform                      Linux ibm-x3850x5-04.qe.lab.eng.nay.redhat.com
                              3.10.0-9.el7.x86_64 #1 SMP Tue Aug 13 14:35:28 EDT
                              2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-10-08 14:52:22 CST
Last Seen                     2013-10-08 15:20:06 CST
Local ID                      896fdd89-9bed-4e82-bd5b-f85ee0b63cb3
https://bugzilla.redhat.com/show_bug.cgi?id=990041https://bugzilla.redhat.com/show_bug.cgi?id=990041
Raw Audit Messages
type=AVC msg=audit(1381216806.617:110998): avc:  denied  { execute } for  pid=1397 comm="virsh" name="systemctl" dev="sda1" ino=266870 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1381216806.617:110998): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f7b59da9630 a1=7f7b59e28fa0 a2=7fffbb191438 a3=8 items=0 ppid=0 pid=1397 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=virsh exe=/usr/bin/virsh subj=system_u:system_r:virsh_t:s0 key=(null)

Hash: systemctl,virsh_t,systemd_systemctl_exec_t,file,execute

Hi Daniel,

Should I file another bug for this new found avc denial problem, or we can leave it here?

Comment 10 Daniel Walsh 2013-10-09 14:18:47 UTC

This is fine, can you run this in permissive mode and see what happens?

Comment 11 Wayne Sun 2013-10-10 03:37:02 UTC

(In reply to Daniel Walsh from comment #10)
> This is fine, can you run this in permissive mode and see what happens?

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

# systemctl reload testbox200_sandbox

# systemctl status testbox200_sandbox
testbox200_sandbox.service - Secure Sandbox Container testbox200
   Loaded: loaded (/etc/systemd/system/testbox200_sandbox.service; disabled)
   Active: active (running) (Result: exit-code) since Thu 2013-10-10 11:32:22 CST; 1min 54s ago
  Process: 22883 ExecReload=/usr/bin/virt-sandbox-service -c lxc:/// reload -u httpd.service testbox200 (code=exited, status=0/SUCCESS)
 Main PID: 22768 (virt-sandbox-se)
   CGroup: /system.slice/testbox200_sandbox.service
           └─22768 /usr/libexec/virt-sandbox-service-util -c lxc:/// -s testbox200

Oct 10 11:32:23 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[22768]: Starting The Apache HTTP Server...
Oct 10 11:32:23 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[22768]: Starting Cleanup of Temporary Directories...
Oct 10 11:32:23 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[22768]: [  OK  ] Started Cleanup of Temporary Directories.
Oct 10 11:32:23 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[22768]: [  OK  ] Started The Apache HTTP Server.
Oct 10 11:32:23 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com virt-sandbox-service-util[22768]: [  OK  ] Reached target Sandbox multi-user target.
Oct 10 11:33:43 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com systemd[1]: Reloading Secure Sandbox Container testbox200.
Oct 10 11:33:43 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com systemd[1]: testbox200_sandbox.service: control process exited, code=exited status=1
Oct 10 11:33:43 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com systemd[1]: Reload failed for Secure Sandbox Container testbox200.
Oct 10 11:34:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com systemd[1]: Reloading Secure Sandbox Container testbox200.
Oct 10 11:34:08 ibm-x3850x5-04.qe.lab.eng.nay.redhat.com systemd[1]: Reloaded Secure Sandbox Container testbox200.


Reload will success while in permissive mode and the avc denial caught is:
----
time->Thu Oct 10 11:34:08 2013
type=SYSCALL msg=audit(1381376048.282:4705): arch=c000003e syscall=59 success=yes exit=0 a0=7fac53f8d630 a1=7fac5400cfa0 a2=7fffdb138068 a3=8 items=0 ppid=0 pid=22886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:svirt_lxc_net_t:s0:c11,c520 key=(null)
type=AVC msg=audit(1381376048.282:4705): avc:  denied  { read open } for  pid=22886 comm="virsh" path="/usr/bin/systemctl" dev="sda1" ino=266411 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=AVC msg=audit(1381376048.282:4705): avc:  denied  { execute } for  pid=22886 comm="virsh" name="systemctl" dev="sda1" ino=266411 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

Comment 12 Daniel Walsh 2013-10-10 16:48:22 UTC

bda8997d12a561975c7a4116ea7714f42e715fe2 fixes this in git.

Comment 13 Miroslav Grepl 2014-01-14 07:46:43 UTC

Has been added.

Comment 16 Ludek Smid 2014-06-13 11:53:06 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.