Bug 1029873
| Summary: | refuse to start domain with nfs disk configured when virt_use_nfs SELinux boolean is off | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Jaša <djasa> |
| Component: | libvirt | Assignee: | Eric Blake <eblake> |
| Status: | CLOSED WONTFIX | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | acathrow, dyuan, eblake, jdenemar, mzhan, ydu, zhwang |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-07 13:06:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Jaša
2013-11-13 12:23:01 UTC
# getsebool virt_use_nfs
virt_use_nfs --> off
# virsh start winxp
error: Failed to start domain winxp
error: internal error: process exited while connecting to monitor: qemu-kvm: -drive file=/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso,if=none,id=drive-scsi0-0-0-1,readonly=on,format=raw: could not open disk image /var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso: Could not open file: Permission denied
# grep AVC /var/log/audit/audit.log | tail -n1 | audit2why
type=AVC msg=audit(1384347562.025:1882): avc: denied { open } for pid=16567 comm="qemu-kvm" path="/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso" dev="0:40" ino=2149019912 scontext=system_u:system_r:svirt_t:s0:c93,c415 tcontext=system_u:object_r:nfs_t:s0 tclass=file
Was caused by:
The boolean virt_use_nfs was set incorrectly.
Description:
Allow virt to use nfs
Allow access by executing:
# setsebool -P virt_use_nfs 1
disk definition in domain xml:
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso'/>
<target dev='sdb' bus='scsi'/>
<readonly/>
<address type='drive' controller='0' bus='0' target='0' unit='1'/>
</disk>
Rather than refusing to run the domain, libvirt should instead be taking advantage of qemu 1.7's ability to pass in the entire backing chain via pre-opened fds, at which point the 'virt_use_nfs' bool is a no-op because we would no longer care about being able to label the files. Hi Eric Just try the comment0's issue in rhel6.6, also hit that issue, since didn't see the relative bug in rhel6.6, so doubt that will we also fix this issue in rhel6.6 ? thanks (In reply to zhenfeng wang from comment #4) > Hi Eric > Just try the comment0's issue in rhel6.6, also hit that issue, since didn't > see the relative bug in rhel6.6, so doubt that will we also fix this issue > in rhel6.6 ? thanks Upstream libvirt still does not have support wired up for fd passing of NFS disks; when we finally get there, we can avoid the need for the SELinux bool. I have no idea what time frame it will take to get there, but it will probably build upon the recent refactoring work on storage management for purposes of gluster, block commit, and friends. As such, while it may be done in time for RHEL 7.1, it would be extremely hard to backport to RHEL 6. The ultimate fix is to implement fd-passing for all disks (tracked already by 1039117, 731134). In the meantime audit2why clearly says where the problem is. |