Bug 1157252

Summary: External luns may loose the libvirt selinux label if a udev change event is triggered
Product: Red Hat Enterprise Virtualization Manager Reporter: Tal Nisan <tnisan>
Component: vdsmAssignee: Nir Soffer <nsoffer>
Status: CLOSED CURRENTRELEASE QA Contact: Elad <ebenahar>
Severity: high Docs Contact:
Priority: high    
Version: 3.5.0CC: amureini, bazulay, ecohen, gklein, iheim, lpeer, lsurette, mgoldboi, nsoffer, rbalakri, scohen, yeylon
Target Milestone: ---Keywords: ZStream
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: storage
Fixed In Version: vt8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1152661
: 1157688 (view as bug list) Environment:
Last Closed: 2015-02-16 13:40:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1152661    
Bug Blocks: 1157688    

Description Tal Nisan 2014-10-26 17:20:55 UTC 
+++ This bug was initially created as a clone of Bug #1152661 +++

Description of problem:

Before plugging external luns to vms, we setup up a temporary udev rule
for setting device permissions. Using this rule will cause the device to
loose the libvirt selinux label if a device has a change event, and 
running with recent systemd-udevd (e.g. Fedora 19 and later, EL 7).

This is the same issue we had with vdsm images, (bug 1127460) but with
external luns we do not trigger change events, so the issue is unlikely.
However, if it happens, it will cause a vm to pause.

Version-Release number of selected component (if applicable):
vdsm master Oct 10.

How reproducible:
Always

Steps to Reproduce:
1. Start a vm using an external lun for one of the disks
2. Trigger a change event on a device used as external lun
   udevadm trigger --verbose --action change \
      --property-match=DM_NAME=1IET_0006000a

You need to replace 1IET_0006000a with the actual device name, can be
found using multipath -ll.

Actual results:
The device will loose the svirt_image_t:s0:cxxx,cyyy label, and will get the default label fixed_disk_device_t:s0 intead. This will cause the vm to pause.

Expected results:
Libvirt sexlinux label kept and vm keep running.
Comment 2 Allon Mureinik 2014-11-20 19:17:37 UTC 
The 3.5 patch is merged.
Moving to MODIFIED.
Comment 3 Elad 2014-11-25 09:54:15 UTC 
SElinux label is kept for a direct LUN while it is attached to a running VM.


[root@green-vdsb dev]# multipath -ll |grep 3514f0c5447600438
3514f0c5447600438 dm-21 XtremIO ,XtremApp 

[root@green-vdsb dev]# ls -Z |grep dm-21
brw-rw----. root disk    system_u:object_r:fixed_disk_device_t:s0 dm-21

Started the VM:

[root@green-vdsb dev]# ls -Z |grep dm-21
brw-rw----. vdsm qemu    system_u:object_r:svirt_image_t:s0:c203,c878 dm-21


Changed label:

[root@green-vdsb dev]# udevadm trigger --verbose --action change --property-match=3514f0c5447600438
[root@green-vdsb dev]# ls -Z |grep dm-21
brw-rw----. vdsm qemu    system_u:object_r:svirt_image_t:s0:c203,c878 dm-21

Checked on iSCSI and FC
Verified using rhev 3.5 vt11
Comment 4 Allon Mureinik 2014-11-25 20:48:31 UTC 
Nit, iiuc, there is nothing customer-facing to document here.
Can you please either confirm and set requires-doctext-, or provide the relevant documentation?
Thanks!
Comment 5 Nir Soffer 2014-11-25 21:04:10 UTC 
(In reply to Allon Mureinik from comment #4)
> Nit, iiuc, there is nothing customer-facing to document here.
> Can you please either confirm and set requires-doctext-, or provide the
> relevant documentation?

I agree.