Bug 1138500

Summary: guest will be shutoff after libvirtd is restarted when selinux security driver is disabled and didn't enable the model='selinux' in guest's xml
Product: Red Hat Enterprise Linux 6 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.6CC: dyuan, jdenemar, mprivozn, mzhan, rbalakri, zhwang
Target Milestone: rcKeywords: Upstream
Target Release: ---   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: libvirt-0.10.2-47.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 05:47:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luyao Huang 2014-09-05 02:46:58 UTC 
Description of problem:

guest will be shutoff  after libvirtd is restarted when selinux security driver is disabled and didn't enable the model='selinux' in guest's xml

Version-Release number of selected component (if applicable):
libvirt-0.10.2-45.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. set security_driver = "none" in /etc/libvirt/qemu.conf

2. restart libvirtd service

3. start a domain which contains <seclabel type='dynamic' relabel='yes'/> in its XML configuration,
   here we didn't configure the model='selinux' in guest's xml

#virsh dumpxml r6
--
<seclabel type='dynamic' model='none' relabel='yes'/>
--
4. restart libvirtd

5. check the domain status, the domain was in shutoff status, also the seclabel in guest's xml changed

# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     r6                             shut off


#virsh dumpxml r6
  <seclabel type='none' model='none'/>

6.but can find it use ps aux
#ps aux|grep r6
qemu      3339 28.4  3.3 1405648 269900 ?      Sl   10:37   1:08 /usr/libexec/qemu-kvm -name r6 -S -M rhel6.6.0 -enable-kvm -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 996c6fd7-e34e-1323-6801-439741c1a7c9 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/r6.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 -drive file=/var/lib/libvirt/images/r6.img,if=none,id=drive-ide0-0-0,format=raw,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=25,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:a1:2e:6f,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -vga cirrus -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on


Actual results:
guest status change to shut off after libvirtd restart 

Expected results:
guest running

Additional info:
log from /var/log/libvirt/libvirtd.log

2014-09-05 02:43:59.377+0000: 4141: info : libvirt version: 0.10.2, package: 45.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-09-02-09:54:39, x86-027.build.eng.bos.redhat.com)
2014-09-05 02:43:59.377+0000: 4141: warning : virSecurityManagerNew:148 : Configured security driver "none" disables default policy to create confined guests
2014-09-05 02:43:59.677+0000: 4141: error : virSecurityLabelDefParseXML:3319 : unsupported configuration: unsupported type='dynamic' to model 'none'
Comment 2 Michal Privoznik 2014-09-05 06:03:47 UTC 
Patches proposed upstream:

https://www.redhat.com/archives/libvir-list/2014-September/msg00201.html
Comment 3 Michal Privoznik 2014-09-05 07:36:40 UTC 
And I've just pushed patches upstream:

commit 36cc189a46b642d202100efddfcefa7cf7bdd08b
Author:     Michal Privoznik <mprivozn>
AuthorDate: Wed Sep 3 19:06:55 2014 +0200
Commit:     Michal Privoznik <mprivozn>
CommitDate: Fri Sep 5 08:35:34 2014 +0200

    tests: Add test cases for previous commit
    
    This commit is rather big. Firstly, the in memory config
    representation is adjusted like if security_driver was set to "none".
    The rest is then just adaptation to the new code that will generate
    different seclabels.
    
    Signed-off-by: Michal Privoznik <mprivozn>

commit d869a6ea03eca6cffe8913a541161bb9bbedc8a1
Author:     Michal Privoznik <mprivozn>
AuthorDate: Wed Sep 3 18:07:45 2014 +0200
Commit:     Michal Privoznik <mprivozn>
CommitDate: Fri Sep 5 08:35:34 2014 +0200

    conf: Fix even implicit labels
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1027096#c8
    
    There are two ways in which security model can make it way into
    <seclabel/>. One is as the @model attribute, the second one is
    via security_driver knob in qemu.conf. Then, while parsing
    <seclabel/> several checks and fix ups of old, stale combinations
    are performed. However, iff @model is specified. They are not
    done in the latter case. So it's still possible to feed libvirt
    with senseless combinations (if qemu.conf is adjusted correctly).
    
    One example of a seclabel that needs some adjustment (in case
    security_driver=none in qemu.conf) is:
    
        <seclabel type='dynamic' relabel='yes'/>
    
    The fixup code is copied from virSecurityLabelDefParseXML
    (covering the former case) into virSecurityLabelDefsParseXML
    (which handles the latter case).
    
    Signed-off-by: Michal Privoznik <mprivozn>
Comment 4 Michal Privoznik 2014-12-03 15:58:50 UTC 
Moving to POST:

http://post-office.corp.redhat.com/archives/rhvirt-patches/2014-December/msg00052.html
Comment 6 Luyao Huang 2014-12-15 07:31:03 UTC 
Verify this bug with libvirt-0.10.2-47.el6.x86_64:

1.set security_driver = "none" in /etc/libvirt/qemu.conf

2.# service libvirtd restart
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]

3.add <seclabel type='dynamic' relabel='yes'/> in guest XML and save:

# virsh edit r6.5
...
<seclabel type='dynamic' relabel='yes'/>
...
Domain r6.5 XML configuration edited.

4.check XML via dumpxml
# virsh dumpxml r6.5|grep selabel 
 <seclabel type='none' model='none'/>

5.start the guest
# virsh start r6.5
Domain r6.5 started

6.
# virsh dumpxml r6.5
<seclabel type='none' model='none'/>

7.restart libvirtd
# service libvirtd restart
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]

8.check guest status
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 11    r6.5                           running
Comment 8 errata-xmlrpc 2015-07-22 05:47:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1252.html