Bug 1528628

Summary: seclabel element can not be successfully validated in character devices, but the setting can exposed in live xml
Product: Red Hat Enterprise Linux 7 Reporter: yalzhang <yalzhang>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED NOTABUG QA Contact: yalzhang <yalzhang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: fjin, phrdina, rbalakri, xuzhang, yafu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-02 12:34:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yalzhang@redhat.com 2017-12-22 13:03:31 UTC 
Description of problem:
seclabel element can not be successfully validated in character devices, but the setting can exposed in live xml, and it is a one-off setting

Version-Release number of selected component (if applicable):
libvirt-3.9.0-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.  add below device into guest xml by 
# virsh edit
...
  <console type='file'>
      <source path='/var/log/libvirt/test.log' append='on'>
         <seclabel model='dac' relabel='yes'/>
      </source>
      <target type='virtio' port='1'/>
    </console>

error: XML document failed to validate against schema: Unable to validate doc against /usr/share/libvirt/schemas/domain.rng
Extra element devices in interleave
Element domain failed to validate content

Failed. Try again? [y,n,i,f,?]:   ===> press "i"

Domain guest XML configuration edited.

2.  check the xml, it looks like seclabel setting is ignored
# virsh dumpxml guest
...
   <console type='file'>
      <source path='/var/log/libvirt/test.log' append='on'/>
      <target type='virtio' port='1'/>
    </console>
...

3. start the guest, the seclabel setting is back in the live xml as what we set, and the file is relabeld
# virsh start guest
Domain guest started

# virsh dumpxml guest
...
   <console type='file'>
      <source path='/var/log/libvirt/test.log' append='on'>
        <seclabel model='dac' relabel='yes'/>
      </source>
      <target type='virtio' port='1'/>
      <alias name='console1'/>
    </console>
...

# ll -Z /var/log/libvirt/test.log
-rw-------. qemu qemu system_u:object_r:virt_log_t:s0  /var/log/libvirt/test.log

4.  destroy the guest and start again, the seclabel setting is disappeared and back to default
# virsh destroy guest
Domain guest destroyed

# ll -Z /var/log/libvirt/test.log
-rw-------. root root system_u:object_r:virt_log_t:s0  /var/log/libvirt/test.log

# virsh start guest
Domain guest started

# ll -Z /var/log/libvirt/test.log
-rw-------. root root system_u:object_r:virt_log_t:s0  /var/log/libvirt/test.log


Actual results:
seclabel element can not be successfully validated in file type character devices, but the setting can exposed in live xml. 
And a destroy- start will clear the setting. 

Expected results:
the setting can validate successfully in inactive xml and be kept.

Additional info:
If not set seclabel setting, the default is as below:
set a guest with in the xml
 <console type='file'>
      <source path='/var/log/libvirt/test1.log' append='on'/>
      <target type='virtio' port='1'/>
    </console>

# ll /var/log/libvirt/test1.log
ls: cannot access /var/log/libvirt/test1.log: No such file or directory

# virsh start guest
Domain guest started

# ll -Z /var/log/libvirt/test1.log
-rw-------. root root system_u:object_r:virt_log_t:s0  /var/log/libvirt/test1.log
Comment 2 Pavel Hrdina 2018-01-02 12:34:30 UTC 
(In reply to yalzhang from comment #0)
> Description of problem:
> seclabel element can not be successfully validated in character devices, but
> the setting can exposed in live xml, and it is a one-off setting
> 
> Version-Release number of selected component (if applicable):
> libvirt-3.9.0-6.el7.x86_64
> 
> How reproducible:
> 100%
> 
> Steps to Reproduce:
> 1.  add below device into guest xml by 
> # virsh edit
> ...
>   <console type='file'>
>       <source path='/var/log/libvirt/test.log' append='on'>
>          <seclabel model='dac' relabel='yes'/>
>       </source>
>       <target type='virtio' port='1'/>
>     </console>

This XML is wrong.  You need to specify <label> as well.  Unfortunately this
is not properly documented.

> error: XML document failed to validate against schema: Unable to validate
> doc against /usr/share/libvirt/schemas/domain.rng
> Extra element devices in interleave
> Element domain failed to validate content
> 
> Failed. Try again? [y,n,i,f,?]:   ===> press "i"
> 
> Domain guest XML configuration edited.
> 
> 2.  check the xml, it looks like seclabel setting is ignored
> # virsh dumpxml guest

The reason why it is ignored is that it doesn't make sense to specify
<seclabel> with rebales='yes' without any <label>.

> ...
>    <console type='file'>
>       <source path='/var/log/libvirt/test.log' append='on'/>
>       <target type='virtio' port='1'/>
>     </console>
> ...
> 
> 3. start the guest, the seclabel setting is back in the live xml as what we
> set, and the file is relabeld
> # virsh start guest
> Domain guest started
> 
> # virsh dumpxml guest
> ...
>    <console type='file'>
>       <source path='/var/log/libvirt/test.log' append='on'>
>         <seclabel model='dac' relabel='yes'/>
>       </source>
>       <target type='virtio' port='1'/>
>       <alias name='console1'/>
>     </console>
> ...

This doesn't seem to be correct, if I start a guest with console device
the <seclabel> element is not formatted.

> 
> # ll -Z /var/log/libvirt/test.log
> -rw-------. qemu qemu system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test.log
> 
> 4.  destroy the guest and start again, the seclabel setting is disappeared
> and back to default
> # virsh destroy guest
> Domain guest destroyed
> 
> # ll -Z /var/log/libvirt/test.log
> -rw-------. root root system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test.log
> 
> # virsh start guest
> Domain guest started
> 
> # ll -Z /var/log/libvirt/test.log
> -rw-------. root root system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test.log
> 
> 
> Actual results:
> seclabel element can not be successfully validated in file type character
> devices, but the setting can exposed in live xml. 
> And a destroy- start will clear the setting. 
> 
> Expected results:
> the setting can validate successfully in inactive xml and be kept.
> 
> Additional info:
> If not set seclabel setting, the default is as below:
> set a guest with in the xml
>  <console type='file'>
>       <source path='/var/log/libvirt/test1.log' append='on'/>
>       <target type='virtio' port='1'/>
>     </console>
> 
> # ll /var/log/libvirt/test1.log
> ls: cannot access /var/log/libvirt/test1.log: No such file or directory
> 
> # virsh start guest
> Domain guest started
> 
> # ll -Z /var/log/libvirt/test1.log
> -rw-------. root root system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test1.log

The only thing that could be improved is documentation but otherwise there is no BUG so I'm closing it as NOTABUG.