[Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy

Perry N. Myers pmyers at redhat.com
Thu Oct 9 04:28:06 UTC 2008 

Jim Meyering wrote:
> ovirt-node needs SELinux policy to allow qemu to access the iSCSI block
> devices. This is done presently via a script during install, but it
> should be done by a subpackage of ovirt-node called ovirt-node-selinux.
> Follow the Fedora guidelines for this located at:
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
> 
> * Makefile.am (EXTRA_DIST): Add ovirt-node-selinux.te.
> * ovirt-node-selinux.te: New file, with contents from...
> * ovirt-listen-awake/ovirt-install-node: ...here.  Remove policy
> definition and semodule-running code.
> * ovirt-node.spec.in: Update per the above wiki URL.

This seems to work for me.  I'm able to successfully boot a VM using iSCSI 
storage and SELinux isn't blocking access to the storage with this policy 
applied.

However...  I see other errors in dmesg that are SELinux related.  This 
might bear looking into:

> type=1400 audit(1223526055.374:4): avc:  denied  { read } for  pid=2592 comm="mount" name="tmp.mhdXsnaPjX" dev=dm-0 ino=7101 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> type=1400 audit(1223526055.374:5): avc:  denied  { read } for  pid=2592 comm="mount" name="tmp.mhdXsnaPjX" dev=dm-0 ino=7101 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
> Not cloning cgroup for unused subsystem ns
> SELinux: initialized (dev proc, type proc), uses genfs_contexts
> scsi6 : iSCSI Initiator over TCP/IP
> scsi 6:0:0:0: RAID              IET      Controller       0001 PQ: 0 ANSI: 5
> scsi 6:0:0:0: Attached scsi generic sg2 type 12
> scsi 6:0:0:1: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI: 5
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
>  sdb: unknown partition table
> type=1400 audit(1223526138.070:6): avc:  denied  { search } for  pid=2732 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526138.070:7): avc:  denied  { search } for  pid=2732 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 6:0:0:1: [sdb] Attached SCSI disk
> sd 6:0:0:1: Attached scsi generic sg3 type 0
> scsi 6:0:0:2: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI: 5
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
>  sdc: unknown partition table
> type=1400 audit(1223526138.084:8): avc:  denied  { search } for  pid=2732 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526138.084:9): avc:  denied  { search } for  pid=2732 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 6:0:0:2: [sdc] Attached SCSI disk
> sd 6:0:0:2: Attached scsi generic sg4 type 0
> scsi 6:0:0:3: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI: 5
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
>  sdd: unknown partition table
> type=1400 audit(1223526138.098:10): avc:  denied  { search } for  pid=2732 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526138.098:11): avc:  denied  { search } for  pid=2732 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 6:0:0:3: [sdd] Attached SCSI disk
> sd 6:0:0:3: Attached scsi generic sg5 type 0
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 6:0:0:1: [sdb] Synchronizing SCSI cache
> sd 6:0:0:2: [sdc] Synchronizing SCSI cache
> sd 6:0:0:3: [sdd] Synchronizing SCSI cache
> scsi7 : iSCSI Initiator over TCP/IP
> scsi 7:0:0:0: RAID              IET      Controller       0001 PQ: 0 ANSI: 5
> scsi 7:0:0:0: Attached scsi generic sg2 type 12
> scsi 7:0:0:1: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI: 5
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
>  sdb: unknown partition table
> type=1400 audit(1223526199.621:12): avc:  denied  { search } for  pid=2852 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526199.621:13): avc:  denied  { search } for  pid=2852 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 7:0:0:1: [sdb] Attached SCSI disk
> sd 7:0:0:1: Attached scsi generic sg3 type 0
> scsi 7:0:0:2: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI: 5
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
>  sdc: unknown partition table
> type=1400 audit(1223526199.636:14): avc:  denied  { search } for  pid=2852 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526199.636:15): avc:  denied  { search } for  pid=2852 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 7:0:0:2: [sdc] Attached SCSI disk
> sd 7:0:0:2: Attached scsi generic sg4 type 0
> scsi 7:0:0:3: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI: 5
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
>  sdd: unknown partition table
> type=1400 audit(1223526199.649:16): avc:  denied  { search } for  pid=2852 comm="iscsid" name="bdi" dev=debugfs ino=6 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> type=1400 audit(1223526199.649:17): avc:  denied  { search } for  pid=2852 comm="iscsid" name="/" dev=debugfs ino=1 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
> sd 7:0:0:3: [sdd] Attached SCSI disk
> sd 7:0:0:3: Attached scsi generic sg5 type 0
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
> tun: Universal TUN/TAP device driver, 1.6
> tun: (C) 1999-2004 Max Krasnyansky <maxk at qualcomm.com>
> device vnet0 entered promiscuous mode
> ovirtbr0: port 2(vnet0) entering learning state
> ovirtbr0: topology change detected, propagating
> ovirtbr0: port 2(vnet0) entering forwarding state
> vnet0: no IPv6 routers present
> kvm: emulating exchange as write
> [root at node123 ~]# df
> Filesystem           1K-blocks      Used Available Use% Mounted on
> /dev/mapper/live-rw     554336    199904    348824  37% /
> tmpfs                  1880100         0   1880100   0% /dev/shm
> [root at node123 ~]# virsh pool-list
> Name                 State      Autostart 
> -----------------------------------------
> NXk142Ob3yPtJwHp     active     no        
> 
> [root at node123 ~]# virsh pool-dumpxml
> error: command 'pool-dumpxml' requires <pool> option
> [root at node123 ~]# virsh pool-dumpxml NXk142Ob3yPtJwHp
> <pool type='iscsi'>
>   <name>NXk142Ob3yPtJwHp</name>
>   <uuid>2d075063-164a-e19d-de69-a142eac7b009</uuid>
>   <capacity>9663676416</capacity>
>   <allocation>9663676416</allocation>
>   <available>0</available>
>   <source>
>     <host name='192.168.50.2'/>
>     <device path='ovirtpriv:storage'>
>     </device>
>   </source>
>   <target>
>     <path>/dev/disk/by-id</path>
>     <permissions>
>       <mode>0700</mode>
>       <owner>0</owner>
>       <group>0</group>
>     </permissions>
>   </target>
> </pool>

Perry

More information about the ovirt-devel mailing list