[Users] SELinux policy issue with oVirt/sanlock

Haim Ateya hateya at redhat.com
Wed Oct 24 17:03:39 UTC 2012 


----- Original Message -----
> From: "Brian Vetter" <bjvetter at gmail.com>
> To: "Haim Ateya" <hateya at redhat.com>
> Cc: users at ovirt.org, selinux at lists.fedoraproject.org
> Sent: Wednesday, October 24, 2012 6:24:31 PM
> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
> 
> I removed lock_manager=sanlock from the settings file, restarted the
> daemons, and all works fine right now. I'm guessing that means there
> is no locking of the VMs (the default?).
that's right, i'm glad it works for you, but it just a workaround since we expect this configuration to work, it would be much appreciated if you
could open a bug on that issue so we can track and resolve when possible.
please attach all required logs such as: vdsm.log, libvirtd.log, qemu.log (under /var/log/libvirt/qemu/), audit.log, sanlock.log and /var/log/messages.

thanks,

Haim
> 
> In any case, the setting of the lock_manager to sanlock was not done
> by myself but presumably via the host/vdsm installation on my fc17
> host. So if that is the desired setting, then there appears to be an
> issue with selinux policies, nfs storage for VMs, and sanlock that
> still needs to be resolved in the nightly builds.
> 
> Brian
> 
> On Oct 24, 2012, at 9:51 AM, Haim Ateya wrote:
> 
> > ----- Original Message -----
> >> From: "Brian Vetter" <bjvetter at gmail.com>
> >> To: "Haim Ateya" <hateya at redhat.com>
> >> Cc: users at ovirt.org, selinux at lists.fedoraproject.org
> >> Sent: Wednesday, October 24, 2012 4:11:17 PM
> >> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
> >> 
> >> Here you go....
> >> 
> >> # getsebool -a | grep sanlock
> >> sanlock_use_fusefs --> off
> >> sanlock_use_nfs --> on
> >> sanlock_use_samba --> off
> >> virt_use_sanlock --> on
> >> 
> >> 
> >> # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf
> >> dynamic_ownership=0
> >> spice_tls=1
> >> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
> >> lock_manager="sanlock"
> > 
> > this entry looks problematic to me (use sanlock as lock manager of
> > the vms), please comment this entry, restart libvirt and vdsm, and
> > try again.
> > 
> >> 
> >> On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
> >> 
> >>> Hi Brian,
> >>> 
> >>> please run the following commands and paste your output:
> >>> 
> >>> getsetbool -a | grep sanlock
> >>> 
> >>> cat /etc/libvirt/qemu.conf
> >>> 
> >>> 
> >>> ----- Original Message -----
> >>>> From: "Brian Vetter" <bjvetter at gmail.com>
> >>>> To: selinux at lists.fedoraproject.org
> >>>> Cc: users at ovirt.org
> >>>> Sent: Wednesday, October 24, 2012 6:34:07 AM
> >>>> Subject: [Users] SELinux policy issue with oVirt/sanlock
> >>>> 
> >>>> I get the following AVC msg when trying to run a VM from the
> >>>> ovirt
> >>>> admin tool:
> >>>> 
> >>>> type=AVC msg=audit(1351051834.851:720): avc:  denied  { read }
> >>>> for
> >>>> pid=979 comm="sanlock"
> >>>> name="8798edc0-dbd2-466d-8be9-1997f63e196f"
> >>>> dev="dm-4" ino=3145737
> >>>> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
> >>>> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
> >>>> 
> >>>> The file it is attempting to read I believe (from the
> >>>> sanlock.log
> >>>> file) is the following:
> >>>> 
> >>>> # ls -lZ
> >>>> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
> >>>> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
> >>>>     /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
> >>>> 
> >>>> I'm no SELinux policy expert, so I 'm not sure what is exactly
> >>>> wrong.
> >>>> The situation is that the VM image file is stored on an NFS file
> >>>> server (in this case, configured using NFSv3). Both the client
> >>>> and
> >>>> the server are fc17. The error occurs when trying to start the
> >>>> VM.
> >>>> The version of oVirt I am using is a recent nightly build
> >>>> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be
> >>>> making
> >>>> a wild guess that the sanlock process doesn't have rights to
> >>>> open
> >>>> some nfs resources but I'm way over the end of my skis.
> >>>> 
> >>>> Brian
> >>>> 
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at ovirt.org
> >>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>> 
> >> 
> >> 
> 
>

More information about the Users mailing list