Description of problem:
In Ovirt-3.5.0 on EL7 or Fedora, vdsm logical volumes are using
less secure selinux label compared with EL6.
When libvirt starts a vm, it apply "svirt_image_t:s0:cX,cY"
(where X and Y are unique per vm) to writable images, and
"virt_content_t" to readonly images. This separates virtual
machines from each other, preventing compromised qemu process
from writing into image belonging to another virtual machine.
When a volume becomes full, vdsm extends and refreshes the
volume. This causes a udev change event, which apply the static
selinux label "svirt_image_t", for both writable images and
readonly images.
The static selinux label is a temporary fix for bug 1127460.
Without this fix, vms would pause after extend, making thin
provisioning on block storage unusable.
The root cause is that udev changed the semantics of the udev
rules in Fedora 19 and later, as described in bug 1147910.
We do not expect to get a fix from udev.
Steps to reproduce - leaf volume:
1. Create and start a vm with one thin provision disk
2. Find the storage domain id and disk lv name in vdsm log
3. Check the selinux label of the lv:
ls -Z `realpath /dev/vgname/lvname`
4. Perform enough io so the disk would be extended (e.g. install os)
5. Check the selinux label of the lv again
Actual results:
Lv is using "svirt_image_t:s0" static label
Expected results:
Lv must use svirt_image_t:s0:cX,cY
Steps to reproduce - internal volume:
1. Create and start a vm with one thin provision disk and one snapshot
2. Find the storage domain id and disk lv name of the base volume in vdsm log
3. Check the selinux label of the lv:
ls -Z `realpath /dev/vgname/lvname`
4. Refresh the lv
lvchange --refresh --config "global {use_lvmetad=0}" vgname/lvname
5. Check the selinux label of the lv again
Actual results:
Lv is using "svirt_image_t:s0" static label
Expected results:
Lv must use "virt_content_t:s0"