Bug 1371125
| Summary: | [regression] Permission denied when start a guest with file type serial port | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jingjing Shao <jishao> | |
| Component: | libvirt | Assignee: | Ján Tomko <jtomko> | |
| Status: | CLOSED NOTABUG | QA Contact: | Virtualization Bugs <virt-bugs> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.3 | CC: | bschmaus, dyuan, ebarrera, ekuris, fjin, jdenemar, jtomko, lmiksik, mzhan, rbalakri, rcernin, sgordon, shanxoom2, xuzhang, yafu | |
| Target Milestone: | rc | Keywords: | Regression | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1378803 (view as bug list) | Environment: | ||
| Last Closed: | 2016-09-12 16:15:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1378803 | |||
|
Description
Jingjing Shao
2016-08-29 12:05:09 UTC
With RHEL7.2 release os + qemu-kvm + libvirt,I can not reproduce the issue,the result is as below
kernel-3.10.0-327.el7.x86_64,
qemu-kvm-1.5.3-105.el7.x86_64,
libvirt-1.2.17-13.el7.x86_64
[on guest]
1. Add console=ttyS0,115200 to guest kernel line.
[on host]
1.# mkdir /test
2.Add the following XML to a domain, and delete other serial nodes.
<serial type="file">
<source path="/test/vm-serial.log"/>
<target port="1"/>
</serial>
3. Start the domain.
# virsh start vm-jishao
Domain vm-jishao started
4.# virsh dumpxml vm-jishao | grep serial -A8
<serial type='file'>
<source path='/test/vm-serial.log'/>
<target port='1'/>
<alias name='serial0'/>
</serial>
<console type='file'>
<source path='/test/vm-serial.log'/>
<target type='serial' port='1'/>
<alias name='serial0'/>
</console>
I try the start the guest when set selinux Permissive, the guest can be started successfully but the file can not print any log of guest libvirt-2.0.0-6.el7.x86_64 1.# mkdir /test 2.Add the following XML to a domain, and delete other serial nodes. <serial type="file"> <source path="/test/vm-serial.log"/> <target port="1"/> </serial> 3.# setenforce 0 # getenforce Permissive 4. Start the domain. # virsh start r7.2 Domain r7.2 started 5.# cat vm-serial.log # # # I am getting an AVC denial:
selinux-policy-3.13.1-97.el7.noarch
type=AVC msg=audit(1473346336.479:57889): avc: denied { append } for pid=12539 comm="virtlogd" name="vm-serial.log" dev="sda7" ino=262152 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(1473346336.479:57889): arch=c000003e syscall=2 success=no exit=-13 a0=7fe898000b10 a1=80441 a2=180 a3=7fe898000b30 items=0 ppid=1 pid=12539 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
Per bug 1311606 virtlogd is contained and should not be able to access everything.
And the domain starts for me if I use /var/log/libvirt as the path to the log file, or manually adjust the context of the /test directory to virt_log_t.
(Disabling virtlogd in qemu.conf:
stdio_handler = "file"
also allows me to start the domain)
I don't think libvirt should be changing the context of random directories in the filesystem, we don't do that for disks either.
Hello, i have set "stdio_handler = "file" in qemu.conf and now i am able to start the domain. but it will lead to security issue right, so what is the correct fix for this issue.
Workaround used:
# The backend to use for handling stdout/stderr output from
# QEMU processes.
#
# 'file': QEMU writes directly to a plain file. This is the
# historical default, but allows QEMU to inflict a
# denial of service attack on the host by exhausting
# filesystem space
#
# 'logd': QEMU writes to a pipe provided by virtlogd daemon.
# This is the current default, providing protection
# against denial of service by performing log file
# rollover when a size limit is hit.
#
stdio_handler = "file"
Actual issue:
2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self)
2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] libvirtError: Unable to open file: /var/lib/nova/instances/9730e067-3c4f-4241-9bae-693d95f53e00/console.log: Permission denied
2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00]
2016-11-07 18:06:34.811 19880 INFO nova.compute.manager [req-17b73d5b-a406-439e-8e4d-9a40c04a1f9a 2ec0f13b4e494d49b2901281fc640d71 c900d0d4a8d24a8ab29fdb06b5f81d99 - - -] [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] Terminating instance
Looking for the right fix.
*** Bug 1396518 has been marked as a duplicate of this bug. *** *** Bug 1483466 has been marked as a duplicate of this bug. *** *** Bug 1502879 has been marked as a duplicate of this bug. *** *** Bug 1499800 has been marked as a duplicate of this bug. *** |