Bug 990509 - Current selinux policy prevents running a VM with volumes under /var/run/vdsm/storage
Current selinux policy prevents running a VM with volumes under /var/run/vdsm...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 998663 1004670 1005950
  Show dependency treegraph
 
Reported: 2013-07-31 06:40 EDT by Eduardo Warszawski
Modified: 2014-04-07 19:19 EDT (History)
14 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 977856
: 998663 1005950 (view as bug list)
Environment:
Last Closed: 2013-08-21 20:52:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit logs + vdsm log (1.63 MB, application/x-gzip)
2013-08-07 11:17 EDT, Elad
no flags Details

  None (edit)
Description Eduardo Warszawski 2013-07-31 06:40:42 EDT
Description of problem:
We would like to run VMs based on volumes placed under vdsm's own /var/run/vdsm directory, currently in parallel to the current trade-mark breaching /rhev/data-center location.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.12.noarch

How reproducible: 100%
Comment 1 Daniel Walsh 2013-07-31 08:24:06 EDT
What avcs are you getting?
Comment 2 Dan Kenigsberg 2013-08-01 04:00:15 EDT
I've removed this bug from the ovirt-3.3 tracker since it is strictly required for the "hosted engine" feature that is not part of 3.3.
Comment 3 Eduardo Warszawski 2013-08-07 11:00:50 EDT
(In reply to Daniel Walsh from comment #1)
> What avcs are you getting?

Elad, from, QE will sent you the logs.

The error is a permission error and with making setenforce permissive the VM can start.
Comment 4 Elad 2013-08-07 11:17:46 EDT
Created attachment 783972 [details]
audit logs + vdsm log

logs attached
Comment 5 Daniel Walsh 2013-08-07 13:51:35 EDT
bc9f14a7929ce854f607473cffebee5c67842616 fixes the ability for svirt_t to read symlinks in /var/run
Comment 6 Miroslav Grepl 2013-08-08 08:13:29 EDT
Back ported.
Comment 7 Elad 2013-08-11 10:36:57 EDT
(In reply to Daniel Walsh from comment #5)
> bc9f14a7929ce854f607473cffebee5c67842616 fixes the ability for svirt_t to
> read symlinks in /var/run

On what official version can I check it?
Comment 9 Miroslav Grepl 2013-08-19 11:33:58 EDT
It has been fixed in -70.fc19. You can test it using

http://koji.fedoraproject.org/koji/buildinfo?buildID=455209

build for now until a new update.
Comment 10 Sandro Bonazzola 2013-08-20 02:44:45 EDT
(In reply to Miroslav Grepl from comment #9)
> It has been fixed in -70.fc19. You can test it using
> 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=455209
> 
> build for now until a new update.

Can you push it also on fc18?
Comment 11 Fedora Update System 2013-08-20 04:25:32 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 12 Fedora Update System 2013-08-20 20:14:42 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-08-21 20:52:17 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.