Bug 990509 - Current selinux policy prevents running a VM with volumes under /var/run/vdsm/storage
Summary: Current selinux policy prevents running a VM with volumes under /var/run/vdsm...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 998663 1004670 1005950
TreeView+ depends on / blocked
 
Reported: 2013-07-31 10:40 UTC by Eduardo Warszawski
Modified: 2014-04-07 23:19 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.12.1-71.fc19
Clone Of: 977856
: 998663 1005950 (view as bug list)
Environment:
Last Closed: 2013-08-22 00:52:17 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
audit logs + vdsm log (1.63 MB, application/x-gzip)
2013-08-07 15:17 UTC, Elad 		no flags Details
View All

Description Eduardo Warszawski 2013-07-31 10:40:42 UTC 
Description of problem:
We would like to run VMs based on volumes placed under vdsm's own /var/run/vdsm directory, currently in parallel to the current trade-mark breaching /rhev/data-center location.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.12.noarch

How reproducible: 100%
Comment 1 Daniel Walsh 2013-07-31 12:24:06 UTC 
What avcs are you getting?
Comment 2 Dan Kenigsberg 2013-08-01 08:00:15 UTC 
I've removed this bug from the ovirt-3.3 tracker since it is strictly required for the "hosted engine" feature that is not part of 3.3.
Comment 3 Eduardo Warszawski 2013-08-07 15:00:50 UTC 
(In reply to Daniel Walsh from comment #1)
> What avcs are you getting?

Elad, from, QE will sent you the logs.

The error is a permission error and with making setenforce permissive the VM can start.
Comment 4 Elad 2013-08-07 15:17:46 UTC 
Created attachment 783972 [details]
audit logs + vdsm log

logs attached
Comment 5 Daniel Walsh 2013-08-07 17:51:35 UTC 
bc9f14a7929ce854f607473cffebee5c67842616 fixes the ability for svirt_t to read symlinks in /var/run
Comment 6 Miroslav Grepl 2013-08-08 12:13:29 UTC 
Back ported.
Comment 7 Elad 2013-08-11 14:36:57 UTC 
(In reply to Daniel Walsh from comment #5)
> bc9f14a7929ce854f607473cffebee5c67842616 fixes the ability for svirt_t to
> read symlinks in /var/run

On what official version can I check it?
Comment 9 Miroslav Grepl 2013-08-19 15:33:58 UTC 
It has been fixed in -70.fc19. You can test it using

http://koji.fedoraproject.org/koji/buildinfo?buildID=455209

build for now until a new update.
Comment 10 Sandro Bonazzola 2013-08-20 06:44:45 UTC 
(In reply to Miroslav Grepl from comment #9)
> It has been fixed in -70.fc19. You can test it using
> 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=455209
> 
> build for now until a new update.

Can you push it also on fc18?
Comment 11 Fedora Update System 2013-08-20 08:25:32 UTC 
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 12 Fedora Update System 2013-08-21 00:14:42 UTC 
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-08-22 00:52:17 UTC 
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.