[Users] SELinux policy issue with oVirt/sanlock

Brian Vetter bjvetter at gmail.com
Wed Oct 24 16:24:31 UTC 2012 

I removed lock_manager=sanlock from the settings file, restarted the daemons, and all works fine right now. I'm guessing that means there is no locking of the VMs (the default?).

In any case, the setting of the lock_manager to sanlock was not done by myself but presumably via the host/vdsm installation on my fc17 host. So if that is the desired setting, then there appears to be an issue with selinux policies, nfs storage for VMs, and sanlock that still needs to be resolved in the nightly builds.

Brian

On Oct 24, 2012, at 9:51 AM, Haim Ateya wrote:

> ----- Original Message -----
>> From: "Brian Vetter" <bjvetter at gmail.com>
>> To: "Haim Ateya" <hateya at redhat.com>
>> Cc: users at ovirt.org, selinux at lists.fedoraproject.org
>> Sent: Wednesday, October 24, 2012 4:11:17 PM
>> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
>> 
>> Here you go....
>> 
>> # getsebool -a | grep sanlock
>> sanlock_use_fusefs --> off
>> sanlock_use_nfs --> on
>> sanlock_use_samba --> off
>> virt_use_sanlock --> on
>> 
>> 
>> # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf
>> dynamic_ownership=0
>> spice_tls=1
>> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
>> lock_manager="sanlock"
> 
> this entry looks problematic to me (use sanlock as lock manager of the vms), please comment this entry, restart libvirt and vdsm, and try again.
> 
>> 
>> On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
>> 
>>> Hi Brian,
>>> 
>>> please run the following commands and paste your output:
>>> 
>>> getsetbool -a | grep sanlock
>>> 
>>> cat /etc/libvirt/qemu.conf
>>> 
>>> 
>>> ----- Original Message -----
>>>> From: "Brian Vetter" <bjvetter at gmail.com>
>>>> To: selinux at lists.fedoraproject.org
>>>> Cc: users at ovirt.org
>>>> Sent: Wednesday, October 24, 2012 6:34:07 AM
>>>> Subject: [Users] SELinux policy issue with oVirt/sanlock
>>>> 
>>>> I get the following AVC msg when trying to run a VM from the ovirt
>>>> admin tool:
>>>> 
>>>> type=AVC msg=audit(1351051834.851:720): avc:  denied  { read } for
>>>> pid=979 comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f"
>>>> dev="dm-4" ino=3145737
>>>> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
>>>> 
>>>> The file it is attempting to read I believe (from the sanlock.log
>>>> file) is the following:
>>>> 
>>>> # ls -lZ
>>>> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>>>> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
>>>>     /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>>>> 
>>>> I'm no SELinux policy expert, so I 'm not sure what is exactly
>>>> wrong.
>>>> The situation is that the VM image file is stored on an NFS file
>>>> server (in this case, configured using NFSv3). Both the client and
>>>> the server are fc17. The error occurs when trying to start the VM.
>>>> The version of oVirt I am using is a recent nightly build
>>>> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be
>>>> making
>>>> a wild guess that the sanlock process doesn't have rights to open
>>>> some nfs resources but I'm way over the end of my skis.
>>>> 
>>>> Brian
>>>> 
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>> 
>> 
>>

More information about the Users mailing list