[Users] SELinux policy issue with oVirt/sanlock

Haim Ateya hateya at redhat.com
Wed Oct 24 14:51:58 UTC 2012 


----- Original Message -----
> From: "Brian Vetter" <bjvetter at gmail.com>
> To: "Haim Ateya" <hateya at redhat.com>
> Cc: users at ovirt.org, selinux at lists.fedoraproject.org
> Sent: Wednesday, October 24, 2012 4:11:17 PM
> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
> 
> Here you go....
> 
> # getsebool -a | grep sanlock
> sanlock_use_fusefs --> off
> sanlock_use_nfs --> on
> sanlock_use_samba --> off
> virt_use_sanlock --> on
> 
> 
> # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf
> dynamic_ownership=0
> spice_tls=1
> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
> lock_manager="sanlock"

this entry looks problematic to me (use sanlock as lock manager of the vms), please comment this entry, restart libvirt and vdsm, and try again.

> 
> On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
> 
> > Hi Brian,
> > 
> > please run the following commands and paste your output:
> > 
> > getsetbool -a | grep sanlock
> > 
> > cat /etc/libvirt/qemu.conf
> > 
> > 
> > ----- Original Message -----
> >> From: "Brian Vetter" <bjvetter at gmail.com>
> >> To: selinux at lists.fedoraproject.org
> >> Cc: users at ovirt.org
> >> Sent: Wednesday, October 24, 2012 6:34:07 AM
> >> Subject: [Users] SELinux policy issue with oVirt/sanlock
> >> 
> >> I get the following AVC msg when trying to run a VM from the ovirt
> >> admin tool:
> >> 
> >> type=AVC msg=audit(1351051834.851:720): avc:  denied  { read } for
> >> pid=979 comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f"
> >> dev="dm-4" ino=3145737
> >> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
> >> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
> >> 
> >> The file it is attempting to read I believe (from the sanlock.log
> >> file) is the following:
> >> 
> >> # ls -lZ
> >> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
> >> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
> >>      /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
> >> 
> >> I'm no SELinux policy expert, so I 'm not sure what is exactly
> >> wrong.
> >> The situation is that the VM image file is stored on an NFS file
> >> server (in this case, configured using NFSv3). Both the client and
> >> the server are fc17. The error occurs when trying to start the VM.
> >> The version of oVirt I am using is a recent nightly build
> >> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be
> >> making
> >> a wild guess that the sanlock process doesn't have rights to open
> >> some nfs resources but I'm way over the end of my skis.
> >> 
> >> Brian
> >> 
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >> 
> 
>

More information about the Users mailing list