Bug 1138487

Summary: one of guest will be shut off when restart libvirtd while disable the default security labeling
Product: Red Hat Enterprise Linux 7 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: Ján Tomko <jtomko>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: dyuan, jiahu, jtomko, mzhan, rbalakri, vivianzhang, zhwang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: libvirt-1.2.8-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1138488 (view as bug list) Environment:
Last Closed: 2015-03-05 07:43:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1138488    

Description Luyao Huang 2014-09-05 00:53:46 UTC 
Description of problem:
one of guest will be shut off when restart libvirtd while disable the default security labeling  and running guest number > 1

Version-Release number of selected component (if applicable):
libvirt-1.2.8-1.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Disable the default security labeling in /etc/libvirt/qemu.conf
 security_default_confined = 0
 #service libvirtd restart

2.start two guest without config security label
# virsh start r6
Domain r6 started

# virsh start win7
Domain win7 started

# virsh dumpxml r6

  <seclabel type='none' model='selinux'/>

# virsh dumpxml win7

 <seclabel type='none' model='selinux'/>

3.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 2     r6                             running
 3     win7                           running

3.restart libvirtd
 #service libvirtd restart
4.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 3     win7                           running
 -     r6                             shut off

5.# ps aux|grep r6
root     19008  0.0  0.0 112640   964 pts/0    S+   12:51   0:00 grep --color=auto r6

Actual results:
one of guest will be shut off after libvirtd restart

Expected results:
all guest be running after restart libvirtd

Additional info:


Log from /var/log/libvirt/libvirtd.log:


2014-09-04 06:31:02.161+0000: 8826: info : libvirt version: 1.2.8, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-09-02-05:19:38, x86-021.build.eng.bos.redhat.com)
2014-09-04 06:31:02.161+0000: 8826: error : qemuAgentIO:634 : internal error: End of file from monitor
2014-09-04 06:31:02.192+0000: 8881: error : virSecuritySELinuxReserveSecurityLabel:758 : internal error: MCS level for existing domain label  already reserved
Comment 2 Ján Tomko 2014-09-30 15:40:58 UTC 
Fixed upstream by:
commit a48362cdfeb5c948218a2e4bf7cc9354082fc1b6
Author:     Shivaprasad G Bhat <shivaprasadbhat>
AuthorDate: 2014-09-04 14:42:32 +0530
Commit:     Martin Kletzander <mkletzan>
CommitDate: 2014-09-07 17:09:34 +0200

    selinux: Avoid label reservations for type = none
    
    For security type='none' libvirt according to the docs should not
    generate seclabel be it for selinux or any model. So, skip the
    reservation of labels when type is none.
    
    Signed-off-by: Shivaprasad G Bhat <sbhat.ibm.com>

git describe: v1.2.8-46-ga48362c contains: v1.2.9-rc1~218
Comment 5 vivian zhang 2014-10-14 03:24:50 UTC 
I can reproduce with build: libvirt-1.2.8-1.el7.x86_64

verify with build : libvirt-1.2.8-5.el7.x86_64

step:
1.Disable the default security labeling in /etc/libvirt/qemu.conf
 security_default_confined = 0
 #service libvirtd restart

2.start two guest without config security label
# virsh start r6
Domain r6 started

# virsh start win7
Domain win7 started

# virsh dumpxml r6

  <seclabel type='none' model='selinux'/>

# virsh dumpxml win7

 <seclabel type='none' model='selinux'/>

3.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 22    win7                           running
 24    r6                             running


3.restart libvirtd
 #service libvirtd restart

4.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 22    win7                           running
 24    r6                             running

5. ps check guest process exist
]# ps aux |grep win7
qemu      8632 35.5 14.0 1673940 1118920 ?     Sl   11:20   0:56 /usr/libexec/qemu-kvm -name win7 -S -machine pc-i440fx-rhel7.1.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 32aae2f3-cdcd-45fc-9a39-9f4a94aa7323 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/win7.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/kvm-win7-x86_64-qcow2.img,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=25,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:8c:38:a5,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=127.0.0.1,disable-ticketing,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
root      9297  0.0  0.0 112644   980 pts/0    S+   11:22   0:00 grep --color=auto win7

# ps aux |grep r6
qemu      8923 23.9  6.1 5717324 486480 ?      Sl   11:21   0:26 /usr/libexec/qemu-kvm -name r6 -S -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 626ab801-e31b-49e6-85f3-12bccff308ad -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/r6.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/r6.img,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=29 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c1:d0:23,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -vnc 127.0.0.1:0,websocket=5700 -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
root      9319  0.0  0.0 112640   976 pts/0    S+   11:23   0:00 grep --color=auto r6



move to verified.
Comment 7 errata-xmlrpc 2015-03-05 07:43:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html