Bug 614338

Summary: setting Security Model=None take no effect without any prompt/warning
Product: Red Hat Enterprise Linux 6 Reporter: dyuan
Component: virt-managerAssignee: Cole Robinson <crobinso>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: berrange, dallan, eblake, llim, mliu, weizhan, xen-maint, yoyzhang
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:46:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dyuan 2010-07-14 07:35:41 UTC 
Description of problem:

Guest is shutoff, select 'None' option in Model droplist, apply it.
Then start the guest, the Model will back to selinux both in virt-manager and xml.

Maybe it will take effect when SELINUX=enforcing in /etc/selinux/config, but there should be a prompt when the change take no effect.


Version-Release number of selected component (if applicable):
virt-manager-0.8.4-6.el6

How reproducible:
always

Steps to Reproduce:
1. Prepare an VM which is not running.
2. launch virt-manager.
3. Select the existing VM, then "open" -> "details" -> "Overview" -> "Security"
4. Select "None" option in Model droplist, then apply it.
5. Start the vm
  
Actual results:
the Model will back to selinux both in virt-manager and xml.

Expected results:


Additional info:

[Wed, 14 Jul 2010 15:15:24 virt-manager 3916] DEBUG (domain:1680) Changing seclabel with model=selinux t=dynamic label=
[Wed, 14 Jul 2010 15:15:24 virt-manager 3916] DEBUG (libvirtobject:150) Redefining 'rhel6' with XML diff:
--- Original XML 
+++ New XML 
@@ -47,4 +47,4 @@
       <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0"/>
     </video>
   </devices>
-</domain>
+<seclabel model="selinux" type="dynamic"><label></label></seclabel></domain>

[Wed, 14 Jul 2010 15:15:24 virt-manager 3916] DEBUG (libvirtobject:142) Redefinition request XML was no different, redefining anyways


[Wed, 14 Jul 2010 15:15:44 virt-manager 3916] DEBUG (domain:1680) Changing seclabel with model=None t=dynamic label=
[Wed, 14 Jul 2010 15:15:44 virt-manager 3916] DEBUG (libvirtobject:142) Redefinition request XML was no different, redefining anyways
[Wed, 14 Jul 2010 15:15:44 virt-manager 3916] DEBUG (libvirtobject:142) Redefinition request XML was no different, redefining anyways
Comment 2 RHEL Program Management 2010-07-15 14:54:22 UTC 
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release. It has
been denied for the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 3 Cole Robinson 2010-09-29 18:28:17 UTC 
Pretty sure this is a libvirt limitation, there isn't any way in the XML to specify 'don't use any security model for this guest'. Reassigning to libvirt
Comment 5 Cole Robinson 2011-01-12 18:10:38 UTC 
Patches have been sent upstream:

https://www.redhat.com/archives/libvir-list/2011-January/msg00468.html

However they are dependent on changes that have gone in past 0.8.7 which probably shouldn't be backported to 6.1. So since this isn't a customer request, I think it might be best push this off to 6.2.
Comment 6 Daniel Berrangé 2011-01-12 18:29:53 UTC 
NB, we explicitly didn't allow any way to selectively disable security on individual domains in sVirt. One single unconfined guests running on a host, can compromise the security protection of all other guests. No guest should be allowed to run unconfined, if SELinux is set to enforcing. While if it is permissive, then there's no benefit to selectively allowing unconfined guests, because all are effectively unconfined.
Comment 8 Cole Robinson 2011-01-13 15:54:16 UTC 
Okay, since the general premise has been rejected upstream, reassigning back to virt-manager. The UI should make it clear that security can not be disabled.
Comment 9 Daniel Berrangé 2011-01-13 16:02:26 UTC 
Arguably libvirt should still raise an explicit error if model=none was requested in XML, instead of silently using model=selinux anyway.
Comment 10 Eric Blake 2011-01-13 16:04:50 UTC 
Cole's patches to convert from a free-form string to a checked enum would help in that regard.
Comment 11 Cole Robinson 2011-01-13 17:14:07 UTC 
I'm pretty sure libvirt does raise an error if model='none', in the SecurityVerify step. The way virt-manager was trying to disable security was by just removing the entire <seclabel>, which has never worked.
Comment 12 Cole Robinson 2011-01-13 17:25:42 UTC 
Fixed upstream:

http://hg.fedorahosted.org/hg/virt-manager/rev/550da554b0ac
Comment 13 Cole Robinson 2011-02-24 16:50:18 UTC 
This is already fixed in virt-manager-0.8.6-1
Comment 15 zhanghaiyan 2011-03-02 08:52:49 UTC 
Verified this bug PASS with virt-manager-0.8.6-2.el6.noarch

Open virt-manager, double click on a guest, select view->Details, could see 'none' selection for security model is removed and only 'selinux' for it.
Comment 16 mliu 2011-04-18 05:32:44 UTC 
Verified this bug PASS with virt-manager-0.8.6-3.el6.noarch
Comment 17 errata-xmlrpc 2011-05-19 13:46:18 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0637.html