Bug 1027096

Summary: Running domain may disappear after libvirtd is restarted when selinux security driver is disabled and didn't enable the model='selinux' in guest's xml
Product: Red Hat Enterprise Linux 6 Reporter: zhenfeng wang <zhwang>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: ajia, dyuan, gsun, jdenemar, lhuang, mprivozn, mzhan, rbalakri, shyu, ydu
Target Milestone: rcKeywords: Upstream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-0.10.2-33.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1028962 (view as bug list) Environment:
Last Closed: 2014-10-14 04:18:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1028962    

Description zhenfeng wang 2013-11-06 07:07:43 UTC 
Description of problem:
Running domain may disappear after libvirtd is restarted when selinux security driver is disabled and didn't enable the model='selinux' in guest's xml

Version-Release number of selected component (if applicable):
libvirt-0.10.2-29.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.415.el6.x86_64
kernel-2.6.32-425.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. set security_driver = "none" in /etc/libvirt/qemu.conf

2. restart libvirtd service

3. start a domain which contains <seclabel type='dynamic' relabel='yes'/> in its XML configuration,
   here we didn't configure the model='selinux' in guest's xml

4. restart libvirtd

5. domain is lost

Actual results:
Running domain may disappear after libvirtd is restarted when selinux security driver is disabled and didn't enable the model='selinux' in guest's xml

Expected results:
While the seclabel element in guest's xml didn't inculde the model='selinux',
if the selinux allow the guest to start , the guest shouldn't disappear while restart the libvirtd service , if the selinux disallow the guest to start, it should report a proper error while we start the guest

Additional info:
Comment 1 Dave Allan 2013-11-06 21:05:30 UTC 
See also Bug 947387
Comment 2 Michal Privoznik 2013-11-11 10:48:54 UTC 
Patch has been proposed upstream:

https://www.redhat.com/archives/libvir-list/2013-November/msg00313.html
Comment 3 Michal Privoznik 2013-11-13 06:30:31 UTC 
Patch is now pushed upstream:

commit 9fb3f9571db4bd20b8287a160e9b2680f23dde45
Author:     Michal Privoznik <mprivozn>
AuthorDate: Mon Nov 11 09:58:31 2013 +0100
Commit:     Michal Privoznik <mprivozn>
CommitDate: Mon Nov 11 16:01:25 2013 +0100

    virSecurityLabelDefParseXML: Don't parse label on model='none'
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1027096
    
    If there's the following snippet in the domain XML, the domain will be
    lost upon the daemon restart (if the domain is started prior restart):
    
        <seclabel type='dynamic' relabel='yes'/>
    
    The problem is, the 'label', 'imagelabel' and 'baselabel' are parsed
    whenever the VIR_DOMAIN_XML_INACTIVE is *not* present or the label is
    static. The latter is not our case, obviously. So, when libvirtd starts
    up, it finds domain state xml and parse it. During parsing, many XML
    flags are enabled but VIR_DOMAIN_XML_INACTIVE. Hence, our parser tries
    to extract 'label', 'imagelabel' and 'baselabel' from the XML which
    fails for model='none'. Err, this model - even though not specified in
    XML - can be taken from qemu wide config file: /etc/libvirtd/qemu.conf.
    
    However, in order to know we are dealing with model='none' the code in
    question must be moved forward a bit. Then a new check must be
    introduced. This is what the first two chunks are doing.
    
    But this alone is not sufficient. The domain state XML won't contain the
    model attribute without slight modification. The model should be
    inserted into the XML even if equal to 'none' and the state XML is being
    generated - what if the origin (the @security_driver variable in
    qemu.conf) changes during libvirtd restarts?
    
    At the end, a test to catch this scenario is introduced.
    
    Signed-off-by: Michal Privoznik <mprivozn>


v1.1.4-64-g9fb3f95

However, it's unclear right now if we are gonna rebase in 6.6 or if we just backport the important patches. Therefore I'm setting the 'Upstream' keyword to reflect the fact that we already have the patch.
Comment 5 Michal Privoznik 2014-04-14 15:51:18 UTC 
Moving to POST:

http://post-office.corp.redhat.com/archives/rhvirt-patches/2014-April/msg00329.html
Comment 7 zhenfeng wang 2014-04-18 06:33:47 UTC 
Verify this bug with libvirt-0.10.2-33.el6.x86_64.
Following the reproduce steps, when start a guest with which contains <seclabel type='dynamic' relabel='yes'/> in its XML configuration, and restart libvirtd, the guest still in running status.
 
BTW, and warning message produce on libvirtd.log:
2014-04-18 06:31:05.324+0000: 13597: warning : virSecurityManagerNew:148 : Configured security driver "none" disables default policy to create confined guests
Comment 8 zhenfeng wang 2014-08-27 10:33:42 UTC 
Hi Michal
Currently we're doing the regression testing about this bug. However, got a different result with step 7 that the running guest will be in shutoff status after restart the libvirtd service, please help check it. thanks

pkginfo
libvirt-0.10.2-44.el6.x86_64

steps
1. set security_driver = "none" in /etc/libvirt/qemu.conf

2. restart libvirtd service

3. start a domain which contains <seclabel type='dynamic' relabel='yes'/> in its XML configuration,
   here we didn't configure the model='selinux' in guest's xml

#virsh dumpxml rhel6
--
<seclabel type='dynamic' model='none' relabel='yes'/>
--
4. restart libvirtd

5. check the domain status, the domain was in shutoff status, also the seclabel in guest's xml changed

# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel6                          shut off

#virsh dumpxml rhel6
  <seclabel type='none' model='none'/>

6.check the log 
#cat /var/log/libvirt/libvirtd.log
--
2014-08-27 10:30:09.329+0000: 11747: info : libvirt version: 0.10.2, package: 44.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-08-19-09:58:31, x86-022.build.eng.bos.redhat.com)
2014-08-27 10:30:09.329+0000: 11747: warning : virSecurityManagerNew:148 : Configured security driver "none" disables default policy to create confined guests
2014-08-27 10:30:09.614+0000: 11747: error : virSecurityLabelDefParseXML:3319 : unsupported configuration: unsupported type='dynamic' to model 'none'
~
Comment 9 Michal Privoznik 2014-09-04 09:26:41 UTC 
(In reply to zhenfeng wang from comment #8)
>

Yeah, this is a libvirt bug. I've sent patches upstream:

https://www.redhat.com/archives/libvir-list/2014-September/msg00201.html
Comment 10 Jiri Denemark 2014-09-04 11:47:13 UTC 
The additional bug is closely connected but it's not exactly the same. And since the original fix is still there and working, it's better to track the additional issue by its own bug. Thus, I'm moving this one back to ON_QA.
Comment 11 Luyao Huang 2014-09-05 02:55:10 UTC 
Filed a new bug 1138500 to trace guest will be shut off after restart libvirtd.
Verify this bug with libvirt-0.10.2-45.el6.x86_64.
Steps the same with comment 8 and guest still exist after restart libvirtd.
Comment 13 errata-xmlrpc 2014-10-14 04:18:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1374.html