Bug 1371125
Summary: | [regression] Permission denied when start a guest with file type serial port | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jingjing Shao <jishao> | |
Component: | libvirt | Assignee: | Ján Tomko <jtomko> | |
Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.3 | CC: | bschmaus, dyuan, ebarrera, ekuris, fjin, jdenemar, jtomko, lmiksik, mzhan, rbalakri, rcernin, sgordon, shanxoom2, xuzhang, yafu | |
Target Milestone: | rc | Keywords: | Regression | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1378803 (view as bug list) | Environment: | ||
Last Closed: | 2016-09-12 16:15:16 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1378803 |
Description
Jingjing Shao
2016-08-29 12:05:09 UTC
With RHEL7.2 release os + qemu-kvm + libvirt,I can not reproduce the issue,the result is as below kernel-3.10.0-327.el7.x86_64, qemu-kvm-1.5.3-105.el7.x86_64, libvirt-1.2.17-13.el7.x86_64 [on guest] 1. Add console=ttyS0,115200 to guest kernel line. [on host] 1.# mkdir /test 2.Add the following XML to a domain, and delete other serial nodes. <serial type="file"> <source path="/test/vm-serial.log"/> <target port="1"/> </serial> 3. Start the domain. # virsh start vm-jishao Domain vm-jishao started 4.# virsh dumpxml vm-jishao | grep serial -A8 <serial type='file'> <source path='/test/vm-serial.log'/> <target port='1'/> <alias name='serial0'/> </serial> <console type='file'> <source path='/test/vm-serial.log'/> <target type='serial' port='1'/> <alias name='serial0'/> </console> I try the start the guest when set selinux Permissive, the guest can be started successfully but the file can not print any log of guest libvirt-2.0.0-6.el7.x86_64 1.# mkdir /test 2.Add the following XML to a domain, and delete other serial nodes. <serial type="file"> <source path="/test/vm-serial.log"/> <target port="1"/> </serial> 3.# setenforce 0 # getenforce Permissive 4. Start the domain. # virsh start r7.2 Domain r7.2 started 5.# cat vm-serial.log # # # I am getting an AVC denial: selinux-policy-3.13.1-97.el7.noarch type=AVC msg=audit(1473346336.479:57889): avc: denied { append } for pid=12539 comm="virtlogd" name="vm-serial.log" dev="sda7" ino=262152 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file type=SYSCALL msg=audit(1473346336.479:57889): arch=c000003e syscall=2 success=no exit=-13 a0=7fe898000b10 a1=80441 a2=180 a3=7fe898000b30 items=0 ppid=1 pid=12539 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null) Per bug 1311606 virtlogd is contained and should not be able to access everything. And the domain starts for me if I use /var/log/libvirt as the path to the log file, or manually adjust the context of the /test directory to virt_log_t. (Disabling virtlogd in qemu.conf: stdio_handler = "file" also allows me to start the domain) I don't think libvirt should be changing the context of random directories in the filesystem, we don't do that for disks either. Hello, i have set "stdio_handler = "file" in qemu.conf and now i am able to start the domain. but it will lead to security issue right, so what is the correct fix for this issue. Workaround used: # The backend to use for handling stdout/stderr output from # QEMU processes. # # 'file': QEMU writes directly to a plain file. This is the # historical default, but allows QEMU to inflict a # denial of service attack on the host by exhausting # filesystem space # # 'logd': QEMU writes to a pipe provided by virtlogd daemon. # This is the current default, providing protection # against denial of service by performing log file # rollover when a size limit is hit. # stdio_handler = "file" Actual issue: 2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self) 2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] libvirtError: Unable to open file: /var/lib/nova/instances/9730e067-3c4f-4241-9bae-693d95f53e00/console.log: Permission denied 2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] 2016-11-07 18:06:34.811 19880 INFO nova.compute.manager [req-17b73d5b-a406-439e-8e4d-9a40c04a1f9a 2ec0f13b4e494d49b2901281fc640d71 c900d0d4a8d24a8ab29fdb06b5f81d99 - - -] [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] Terminating instance Looking for the right fix. *** Bug 1396518 has been marked as a duplicate of this bug. *** *** Bug 1483466 has been marked as a duplicate of this bug. *** *** Bug 1502879 has been marked as a duplicate of this bug. *** *** Bug 1499800 has been marked as a duplicate of this bug. *** |