Bug 1368880

Summary: "Unconfined guests are not allowed on this host" when dac security is not set in domain xml
Product: Red Hat Enterprise Linux 7 Reporter: Fangge Jin <fjin>
Component: libvirtAssignee: Ján Tomko <jtomko>
Status: CLOSED NOTABUG QA Contact: yafu <yafu>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: dyuan, mzhan, rbalakri, xuzhang, yafu, yanqzhan, zpeng
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-05 12:14:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Fangge Jin 2016-08-22 02:54:07 UTC 
Description of problem:
Set security_default_confined = 0 and security_require_confined = 1 in qemu.conf, and set dynamic selinux in domain xml, guest failed to start:
# virsh dumpxml rhel7
...
  <seclabel type='dynamic' model='selinux' relabel='yes'/>
...

# virsh start rhel7
error: Failed to start domain rhel7
error: unsupported configuration: Unconfined guests are not allowed on this host

Version-Release number of selected component:
libvirt-2.0.0-5.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Config qemu.conf as below and restart libvirtd service:
# grep '^security' /etc/libvirt/qemu.conf
security_default_confined = 0
security_require_confined = 1

2. Start guest

Actual results:
Guest failed to start

Expected results:
Guest start successfully, because dac driver is enabled by default.

Additional info:
If set both selinux and dac security label in domain xml , guest will start successfully:
# virsh dumpxml rhel7
...
  <seclabel type='dynamic' model='selinux' relabel='yes'/>
  <seclabel type='dynamic' model='dac' relabel='yes'/>
...

# virsh start rhel7
Domain rhel7 started
Comment 2 Ján Tomko 2018-06-05 12:14:29 UTC 
The "dac" driver cannot really be considered confinement, the error here is right.