
----- Original Message -----
From: "Brian Vetter" <bjvetter@gmail.com> To: "Haim Ateya" <hateya@redhat.com> Cc: users@ovirt.org, selinux@lists.fedoraproject.org Sent: Wednesday, October 24, 2012 4:11:17 PM Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
Here you go....
# getsebool -a | grep sanlock sanlock_use_fusefs --> off sanlock_use_nfs --> on sanlock_use_samba --> off virt_use_sanlock --> on
# grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf dynamic_ownership=0 spice_tls=1 spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" lock_manager="sanlock"
this entry looks problematic to me (use sanlock as lock manager of the vms), please comment this entry, restart libvirt and vdsm, and try again.
On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
Hi Brian,
please run the following commands and paste your output:
getsetbool -a | grep sanlock
cat /etc/libvirt/qemu.conf
----- Original Message -----
From: "Brian Vetter" <bjvetter@gmail.com> To: selinux@lists.fedoraproject.org Cc: users@ovirt.org Sent: Wednesday, October 24, 2012 6:34:07 AM Subject: [Users] SELinux policy issue with oVirt/sanlock
I get the following AVC msg when trying to run a VM from the ovirt admin tool:
type=AVC msg=audit(1351051834.851:720): avc: denied { read } for pid=979 comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f" dev="dm-4" ino=3145737 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
The file it is attempting to read I believe (from the sanlock.log file) is the following:
# ls -lZ /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0 /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
I'm no SELinux policy expert, so I 'm not sure what is exactly wrong. The situation is that the VM image file is stored on an NFS file server (in this case, configured using NFSv3). Both the client and the server are fc17. The error occurs when trying to start the VM. The version of oVirt I am using is a recent nightly build (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be making a wild guess that the sanlock process doesn't have rights to open some nfs resources but I'm way over the end of my skis.
Brian
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users