Hi, I found an issue with an SELinux denial trying to deploy hosted-engine from oVirt 3.5.1 on fedora 20 with libvirtd from @updates The issue is: time->Tue Mar 31 17:45:09 2015 type=PROCTITLE msg=audit(1427816709.311:914): proctitle=2F7362696E2F6C64636F6E666967002D70 type=SYSCALL msg=audit(1427816709.311:914): arch=c000003e syscall=59 success=yes exit=0 a0=23f9af0 a1=23f9bf0 a2=23f8b60 a3=7ffcc784f150 items=0 ppid=7037 pid=7038 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1427816709.311:914): avc: denied { write } for pid=7038 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0 and /dev/vport2p1 seams to be badly labeled: crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1 I was using: libvirt-daemon.x86_64 1.1.3.9-1.fc20 @updates selinux-policy.noarch 3.12.1-197.fc20 @updates selinux-policy-targeted.noarch 3.12.1-197.fc20 @updates The issue doesn't reproduce enabling virt-preview repo and using a fresher libvirtd. Should I open a bug to have something back-ported on f20 libvirt or should we explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for master? ciao, Simone
----- Original Message -----
From: "Simone Tiraboschi" <stirabos@redhat.com> To: devel@ovirt.org Sent: Wednesday, April 1, 2015 12:38:16 PM Subject: [ovirt-devel] SELinux issue with f20 libvirtd
Hi, I found an issue with an SELinux denial trying to deploy hosted-engine from oVirt 3.5.1 on fedora 20 with libvirtd from @updates
The issue is: time->Tue Mar 31 17:45:09 2015 type=PROCTITLE msg=audit(1427816709.311:914): proctitle=2F7362696E2F6C64636F6E666967002D70 type=SYSCALL msg=audit(1427816709.311:914): arch=c000003e syscall=59 success=yes exit=0 a0=23f9af0 a1=23f9bf0 a2=23f8b60 a3=7ffcc784f150 items=0 ppid=7037 pid=7038 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1427816709.311:914): avc: denied { write } for pid=7038 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0
and /dev/vport2p1 seams to be badly labeled: crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1
I was using: libvirt-daemon.x86_64 1.1.3.9-1.fc20 @updates selinux-policy.noarch 3.12.1-197.fc20 @updates selinux-policy-targeted.noarch 3.12.1-197.fc20 @updates
The issue doesn't reproduce enabling virt-preview repo and using a fresher libvirtd.
Should I open a bug to have something back-ported on f20 libvirt or should we explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for master?
I think you should open a bug for libvirt and or selinux. This is probably an selinux issue, but libvirt guys should be in the loop. If the platform cannot provide a fix for fedora 20, we can require virt-preview. Adding Eric who can give a better answer. Nir
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NIQhG8mlEOfKwNKF0wH71muL4luEtDXTj Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 04/01/2015 09:58 AM, Nir Soffer wrote:
and /dev/vport2p1 seams to be badly labeled: crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0=
/dev/vport2p1
I was using: libvirt-daemon.x86_64 1.1.3.9-1.fc20 @updates selinux-policy.noarch 3.12.1-197.fc20 @updates selinux-policy-targeted.noarch 3.12.1-197.fc20 @updates
The issue doesn't reproduce enabling virt-preview repo and using a fre= sher libvirtd.
Should I open a bug to have something back-ported on f20 libvirt or sh= ould we explicitly require virt-preview repo for oVirt 3.5.2 as we are doing f= or master? =20 I think you should open a bug for libvirt and or selinux. This is proba= bly an selinux issue, but libvirt guys should be in the loop.
I'm not sure if there have been any libvirt patches between 1.1.3 and 1.2.9 that affect libvirt labeling, or if it is a selinux problem. But if there was a libvirt patch, we can certainly backport it to F20 with a = BZ.
=20 If the platform cannot provide a fix for fedora 20, we can require virt= -preview. =20 Adding Eric who can give a better answer. =20 Nir =20 =20
--=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --NIQhG8mlEOfKwNKF0wH71muL4luEtDXTj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJVHBcCAAoJEKeha0olJ0NqbEgH/jZddDiocuWbY2vISRzgRrdT Dvx0UwN+w4NbEBMHx8NtZxDa9pSOxVajhZ/741WqBp0qeldSkJC5k/pe+lmCPZjS tHb83q6q1j1jMNKpYvqDgq5Z1nRVGh2+Bvolpn6huYhcVRpSFGpp4VzDA16MbkLg CwZ/ctTVF2Vd9MQw9gGcLkuDPlv54/Xbc+0CPCTV1f91NrLc/WnyH1twSrklP+IL FKl1uhO8QUYXB3U0UE0PHtZVkXSAErFmkHL6RBVhlkfKWirCJtJEHEskhl3rEc8M tRBG6owkpdUjAUdIBFOjExowdQgNcAdSvNVru50jx4sU0cAnrpldX23sOEmIc9U= =/yiq -----END PGP SIGNATURE----- --NIQhG8mlEOfKwNKF0wH71muL4luEtDXTj--
----- Original Message -----
From: "Eric Blake" <eblake@redhat.com> To: "Nir Soffer" <nsoffer@redhat.com>, "Simone Tiraboschi" <stirabos@redhat.com> Cc: devel@ovirt.org Sent: Wednesday, April 1, 2015 6:04:18 PM Subject: Re: [ovirt-devel] SELinux issue with f20 libvirtd
On 04/01/2015 09:58 AM, Nir Soffer wrote:
and /dev/vport2p1 seams to be badly labeled: crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1
I was using: libvirt-daemon.x86_64 1.1.3.9-1.fc20 @updates selinux-policy.noarch 3.12.1-197.fc20 @updates selinux-policy-targeted.noarch 3.12.1-197.fc20 @updates
The issue doesn't reproduce enabling virt-preview repo and using a fresher libvirtd.
Should I open a bug to have something back-ported on f20 libvirt or should we explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for master?
I think you should open a bug for libvirt and or selinux. This is probably an selinux issue, but libvirt guys should be in the loop.
I'm not sure if there have been any libvirt patches between 1.1.3 and 1.2.9 that affect libvirt labeling, or if it is a selinux problem. But if there was a libvirt patch, we can certainly backport it to F20 with a BZ.
Thanks, it's probably a bit more complex: I was running it in nested environment using also the oVirt guest agent on the VM where I was deploying hosted-engine and /dev/vport2p1 is used by the guest agent to communicate with the physical host. Not sure why but I got a denial for /usr/sbin/ldconfig trying to access it and this is enough to prevent libvirtd to start the engine VM. I'm not sure but I think that it's not reproducible on a physical environment. I opened a bug to track it: https://bugzilla.redhat.com/show_bug.cgi?id=1208138
If the platform cannot provide a fix for fedora 20, we can require virt-preview.
Adding Eric who can give a better answer.
Nir
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (3)
-
Eric Blake -
Nir Soffer -
Simone Tiraboschi