Bug 1138488

Summary: one of guest will be shut off when restart libvirtd while disable the default security labeling
Product: Red Hat Enterprise Linux 6 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: Ján Tomko <jtomko>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6CC: dyuan, jtomko, libvirt-maint, mzhan, rbalakri, virt-bugs, vivianzhang, zhwang
Target Milestone: rcKeywords: Upstream
Target Release: ---   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: libvirt-0.10.2-48.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1138487 Environment:
Last Closed: 2015-07-22 05:47:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1138487    
Bug Blocks:    

Description Luyao Huang 2014-09-05 01:05:27 UTC 
I have meet this problem in RHEL6,so clone a new bug in RHEL6

and 
Version-Release number of selected component (if applicable):
libvirt-0.10.2-45.el6.x86_64

log output :

2014-09-05 01:02:06.153+0000: 25358: debug : virObjectRef:168 : OBJECT_REF: obj=0x2237f00
2014-09-05 01:02:06.153+0000: 25358: debug : daemonRemoveAllClientStreams:480 : stream=(nil)
2014-09-05 01:02:06.153+0000: 25358: debug : virObjectUnref:135 : OBJECT_UNREF: obj=0x2237f00
2014-09-05 01:02:06.153+0000: 25358: debug : virEventPollRemoveHandle:175 : EVENT_POLL_REMOVE_HANDLE: watch=10
2014-09-05 01:02:06.153+0000: 25358: debug : virEventPollRemoveHandle:188 : mark delete 9 18
2014-09-05 01:02:06.153+0000: 25358: debug : virEventPollInterruptLocked:697 : Skip interrupt, 0 883042400
2014-09-05 01:02:06.153+0000: 25358: debug : virNetMessageFree:73 : msg=0x2237e90 nfds=0 cb=(nil)
2014-09-05 01:02:06.153+0000: 25358: debug : virObjectUnref:135 : OBJECT_UNREF: obj=0x2237cc0
2014-09-05 01:02:06.153+0000: 25358: debug : virObjectUnref:135 : OBJECT_UNREF: obj=0x2237f00
2014-09-05 01:02:06.154+0000: 25358: debug : virFileClose:72 : Closed fd 5
2014-09-05 01:04:00.249+0000: 27529: info : libvirt version: 0.10.2, package: 45.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-09-02-09:54:39, x86-027.build.eng.bos.redhat.com)
2014-09-05 01:04:00.249+0000: 27529: error : virSecuritySELinuxReserveSecurityLabel:666 : internal error MCS level for existing domain label  already reserved

+++ This bug was initially created as a clone of Bug #1138487 +++

Description of problem:
one of guest will be shut off when restart libvirtd while disable the default security labeling  and running guest number > 1

Version-Release number of selected component (if applicable):
libvirt-1.2.8-1.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Disable the default security labeling in /etc/libvirt/qemu.conf
 security_default_confined = 0
 #service libvirtd restart

2.start two guest without config security label
# virsh start r6
Domain r6 started

# virsh start win7
Domain win7 started

# virsh dumpxml r6

  <seclabel type='none' model='selinux'/>

# virsh dumpxml win7

 <seclabel type='none' model='selinux'/>

3.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 2     r6                             running
 3     win7                           running

3.restart libvirtd
 #service libvirtd restart
4.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 3     win7                           running
 -     r6                             shut off

5.# ps aux|grep r6
root     19008  0.0  0.0 112640   964 pts/0    S+   12:51   0:00 grep --color=auto r6

Actual results:
one of guest will be shut off after libvirtd restart

Expected results:
all guest be running after restart libvirtd

Additional info:


Log from /var/log/libvirt/libvirtd.log:


2014-09-04 06:31:02.161+0000: 8826: info : libvirt version: 1.2.8, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-09-02-05:19:38, x86-021.build.eng.bos.redhat.com)
2014-09-04 06:31:02.161+0000: 8826: error : qemuAgentIO:634 : internal error: End of file from monitor
2014-09-04 06:31:02.192+0000: 8881: error : virSecuritySELinuxReserveSecurityLabel:758 : internal error: MCS level for existing domain label  already reserved
Comment 2 Ján Tomko 2014-10-10 08:12:49 UTC 
Fixed upstream by:
commit a48362cdfeb5c948218a2e4bf7cc9354082fc1b6
Author:     Shivaprasad G Bhat <shivaprasadbhat>
AuthorDate: 2014-09-04 14:42:32 +0530
Commit:     Martin Kletzander <mkletzan>
CommitDate: 2014-09-07 17:09:34 +0200

    selinux: Avoid label reservations for type = none
    
    For security type='none' libvirt according to the docs should not
    generate seclabel be it for selinux or any model. So, skip the
    reservation of labels when type is none.
    
    Signed-off-by: Shivaprasad G Bhat <sbhat.ibm.com>

git describe: v1.2.8-46-ga48362c contains: v1.2.9-rc1~218
Comment 5 vivian zhang 2015-01-29 07:04:29 UTC 
I can produce this bug on build
libvirt-0.10.2-45.el6.x86_64

Verify it on build
libvirt-0.10.2-48.el6.x86_64
qemu-kvm-0.12.1.2-2.445.el6.x86_64
2.6.32-504.el6.x86_64

1. Disable the default security labeling in /etc/libvirt/qemu.conf
 security_default_confined = 0
 #service libvirtd restart

2. prepare two guests with
<seclabel type='none' model='selinux'/>

3. start two guests
# virsh list
 Id    Name                           State
----------------------------------------------------
 16    r6                             running
 17    win                            running


4. restart libvirtd service
# service libvirtd restart
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]

5. check guests are all running
# virsh list
 Id    Name                           State
----------------------------------------------------
 16    r6                             running
 17    win                            running


6. dumpxml again

<seclabel type='none' model='selinux'/>


7. two guests after libvirtd restart, still running and works well


change this bug to verified
Comment 7 errata-xmlrpc 2015-07-22 05:47:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1252.html