Bug 1502879

Summary: Compute Node Crashed and now Instances will not start due to selinux denials
Product: Red Hat Enterprise Linux 7 Reporter: Benjamin Schmaus <bschmaus>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: jsuchane, libvirt-maint, rbalakri
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-23 13:37:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Benjamin Schmaus 2017-10-16 22:01:21 UTC 
Description of problem:

This appears to be a problem that was not resolved in the scope of 2 previous BZ's:

https://bugzilla.redhat.com/show_bug.cgi?id=1483466
https://bugzilla.redhat.com/show_bug.cgi?id=1371125

Customer had a compute node crash and cannot start instances when node comes back up.  AVC denials are seen in logs.


Version-Release number of selected component (if applicable):
7.4

How reproducible:
100%

Steps to Reproduce:
1.Deployed virt setup 1 Undercloud, 1 controller, 1 compute. 
2. set environment network, subnet. router and instance.
3. crash compute node
4.start the instance after the compute start-up-
[root@controller-0 ~]# openstack server start 8d448c2b-1d76-435d-a885-e45ef2c43a46 
5. check logs on compute node. 
openstack server list - the instance still on shutdown

Actual results:
Instance should start

Expected results:


Additional info:
Comment 2 Benjamin Schmaus 2017-10-16 22:03:26 UTC 
In BZ#1483466 Matthew Booth decoupled Nova from this issue:

Domain xml contains:

    <console type='file'>
      <source path='/var/lib/nova/instances/d317f802-75e7-4cda-b621-37b6fcd14c8c/console.log'/>
      <target type='serial' port='0'/>
    </console>

/var/lib/nova/instances/d317f802-75e7-4cda-b621-37b6fcd14c8c/ has type nova_var_lib_t.

Nova doesn't do anything with SELinux. When Nova initially creates the file, it inherits nova_var_lib_t. When the domain starts this becomes svirt_image_t. When the domain shuts down gracefully this reverts to nova_var_lib_t.

To isolate the problem from Nova, I shut down the domain with:

# virsh destroy instance-00000001

I deleted console.log, then restarted the domain with:

# virsh start instance-00000001

console.log was created automatically, and had svirt_image_t. Note that an ungraceful shutdown at this point will leave the file as svirt_image_t, and it will subsequently not be possible to start the domain.

I think the libvirt folks need to investigate this. I also suspect it affects all OSP versions running
Comment 6 Jaroslav Suchanek 2017-10-23 13:37:28 UTC 
Please note that the directory which is used for storing log files should be labelled with virt_log_d label. It is described in the following section of virtualization deployment guide:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-manipulating_the_domain_xml-devices#sect-Devices-Host_physical_machine_interface

*** This bug has been marked as a duplicate of bug 1371125 ***