Bug 1379953

Summary: Missing dependency selinux-policy-targeted
Product: Red Hat Enterprise Linux 7 Reporter: Fabian Deutsch <fdeutsch>
Component: libvirtAssignee: Jiri Denemark <jdenemar>
Status: CLOSED NOTABUG QA Contact: Jing Qi <jinqi>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: dyuan, fjin, jdenemar, rbalakri, xuzhang
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 21:06:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Fabian Deutsch 2016-09-28 08:36:32 UTC 
Description of problem:
I was installing libvirt in a clean environment without SELinux beeing installed.
Once I tried to start libvirt, it raised some errors about labels.

I had to install selinux-policy-targeted to fix this issue.

Version-Release number of selected component (if applicable):
RHEL 7.2 (CentOS)

How reproducible:
always

Steps to Reproduce:
1. Install libvirtd with i.e. rpm --root=…
2.
3.

Actual results:
libvirtd will not pull in selinux-policy-targeted

Expected results:
libvirtd should pull in selinux-policy-targeted


Additional info:
Comment 1 Jiri Denemark 2016-11-22 11:30:07 UTC 
Libvirt can happily run without SELinux if configured so (security_driver = "none" in /etc/libvirt/qemu.conf) so making it a hard dependency would be wrong.
Comment 2 Fabian Deutsch 2016-11-24 16:05:49 UTC 
I do understand that libvirt can run without SELinux.

But fact is that the default configuration is expecting SELinux.

Thus IMHO libvirtd should either not require selinux by default in the configuration or oull in the selinux policy.

But teh current state is that if you install libvirtd then it will not work.
Comment 3 Jiri Denemark 2017-04-12 21:06:53 UTC 
selinux-policy-targeted is installed even with the minimal installation, it is listed as a mandatory package in group "Core" (Smallest possible installation) which means it will be installed by default. So libvirt's default to use SELinux (if it is detected) works in the default installation. Creating a special environment requires treatment. And what if someone wanted to create a special installation with no SELinux policy installed? Adding a hard dependency on it in libvirt would make this impossible to achieve.
Comment 4 Jing Qi 2017-04-13 07:26:50 UTC 
I tried below steps about the bug:
1. I installed with minmal installation for rhel7.3.
2. After installation finished, I removed the "selinux-policy-targeted" from the OS and checked  /etc/libvirt/qemu.conf file . The configuration was comment as default. #security_driver = "selinux"
3. Then I installed qemu-kvm-rhev & libvirt rpms successfully.
4. After that, the libvirtd service can't be started and I tried to reboot system and the system can't be started up correctly. Error message " Failed to load SELinux policy, freezing" is printed out. 

Is this situation acceptable?
Comment 5 Jiri Denemark 2017-04-13 07:55:42 UTC 
Well, apparently you need to disable SELinux first to be able to boot the system without selinux-policy-targeted.