[Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy
Perry N. Myers
pmyers at redhat.com
Thu Oct 9 04:28:06 UTC 2008
Jim Meyering wrote:
> ovirt-node needs SELinux policy to allow qemu to access the iSCSI block
> devices. This is done presently via a script during install, but it
> should be done by a subpackage of ovirt-node called ovirt-node-selinux.
> Follow the Fedora guidelines for this located at:
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
>
> * Makefile.am (EXTRA_DIST): Add ovirt-node-selinux.te.
> * ovirt-node-selinux.te: New file, with contents from...
> * ovirt-listen-awake/ovirt-install-node: ...here. Remove policy
> definition and semodule-running code.
> * ovirt-node.spec.in: Update per the above wiki URL.
This seems to work for me. I'm able to successfully boot a VM using iSCSI
storage and SELinux isn't blocking access to the storage with this policy
applied.
However... I see other errors in dmesg that are SELinux related. This
might bear looking into:
> type=1400 audit(1223526055.374:4): avc: denied { read } for pid=2592 comm="mount" name="tmp.mhdXsnaPjX" dev=dm-0 ino=7101 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> type=1400 audit(1223526055.374:5): avc: denied { read } for pid=2592 comm="mount" name="tmp.mhdXsnaPjX" dev=dm-0 ino=7101 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> Not cloning cgroup for unused subsystem ns
> SELinux: initialized (dev proc, type proc), uses genfs_contexts
> scsi6 : iSCSI Initiator over TCP/IP
> scsi 6:0:0:0: RAID IET Controller 0001 PQ: 0 ANSI: 5
> scsi 6:0:0:0: Attached scsi generic sg2 type 12
> scsi 6:0:0:1: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sdb: unknown partition table
> type=1400 audit(1223526138.070:6): avc: denied { search } for pid=2732 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526138.070:7): avc: denied { search } for pid=2732 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 6:0:0:1: [sdb] Attached SCSI disk
> sd 6:0:0:1: Attached scsi generic sg3 type 0
> scsi 6:0:0:2: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sdc: unknown partition table
> type=1400 audit(1223526138.084:8): avc: denied { search } for pid=2732 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526138.084:9): avc: denied { search } for pid=2732 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 6:0:0:2: [sdc] Attached SCSI disk
> sd 6:0:0:2: Attached scsi generic sg4 type 0
> scsi 6:0:0:3: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sdd: unknown partition table
> type=1400 audit(1223526138.098:10): avc: denied { search } for pid=2732 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526138.098:11): avc: denied { search } for pid=2732 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 6:0:0:3: [sdd] Attached SCSI disk
> sd 6:0:0:3: Attached scsi generic sg5 type 0
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:1: [sdb] Synchronizing SCSI cache
> sd 6:0:0:2: [sdc] Synchronizing SCSI cache
> sd 6:0:0:3: [sdd] Synchronizing SCSI cache
> scsi7 : iSCSI Initiator over TCP/IP
> scsi 7:0:0:0: RAID IET Controller 0001 PQ: 0 ANSI: 5
> scsi 7:0:0:0: Attached scsi generic sg2 type 12
> scsi 7:0:0:1: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sdb: unknown partition table
> type=1400 audit(1223526199.621:12): avc: denied { search } for pid=2852 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526199.621:13): avc: denied { search } for pid=2852 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 7:0:0:1: [sdb] Attached SCSI disk
> sd 7:0:0:1: Attached scsi generic sg3 type 0
> scsi 7:0:0:2: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sdc: unknown partition table
> type=1400 audit(1223526199.636:14): avc: denied { search } for pid=2852 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526199.636:15): avc: denied { search } for pid=2852 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 7:0:0:2: [sdc] Attached SCSI disk
> sd 7:0:0:2: Attached scsi generic sg4 type 0
> scsi 7:0:0:3: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sdd: unknown partition table
> type=1400 audit(1223526199.649:16): avc: denied { search } for pid=2852 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526199.649:17): avc: denied { search } for pid=2852 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 7:0:0:3: [sdd] Attached SCSI disk
> sd 7:0:0:3: Attached scsi generic sg5 type 0
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> tun: Universal TUN/TAP device driver, 1.6
> tun: (C) 1999-2004 Max Krasnyansky <maxk at qualcomm.com>
> device vnet0 entered promiscuous mode
> ovirtbr0: port 2(vnet0) entering learning state
> ovirtbr0: topology change detected, propagating
> ovirtbr0: port 2(vnet0) entering forwarding state
> vnet0: no IPv6 routers present
> kvm: emulating exchange as write
> [root at node123 ~]# df
> Filesystem 1K-blocks Used Available Use% Mounted on
> /dev/mapper/live-rw 554336 199904 348824 37% /
> tmpfs 1880100 0 1880100 0% /dev/shm
> [root at node123 ~]# virsh pool-list
> Name State Autostart
> -----------------------------------------
> NXk142Ob3yPtJwHp active no
>
> [root at node123 ~]# virsh pool-dumpxml
> error: command 'pool-dumpxml' requires <pool> option
> [root at node123 ~]# virsh pool-dumpxml NXk142Ob3yPtJwHp
> <pool type='iscsi'>
> <name>NXk142Ob3yPtJwHp</name>
> <uuid>2d075063-164a-e19d-de69-a142eac7b009</uuid>
> <capacity>9663676416</capacity>
> <allocation>9663676416</allocation>
> <available>0</available>
> <source>
> <host name='192.168.50.2'/>
> <device path='ovirtpriv:storage'>
> </device>
> </source>
> <target>
> <path>/dev/disk/by-id</path>
> <permissions>
> <mode>0700</mode>
> <owner>0</owner>
> <group>0</group>
> </permissions>
> </target>
> </pool>
Perry
More information about the ovirt-devel
mailing list