Bug 1717768
| Summary: | blockcommit failed due to permission deny when selinux in Enforcing mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | yisun | ||||
| Component: | libvirt | Assignee: | Peter Krempa <pkrempa> | ||||
| Status: | CLOSED ERRATA | QA Contact: | yisun | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 8.1 | CC: | dzheng, jdenemar, jsuchane, lcheng, pkrempa, xuzhang, yanqzhan, yisun | ||||
| Target Milestone: | rc | Keywords: | Automation, Regression | ||||
| Target Release: | 8.0 | Flags: | knoel:
mirror+
|
||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | libvirt-5.5.0-1.el8 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-11-06 07:16:08 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This was broken in v5.4.0 and will be fixed in v5.5.0
commit 4c4953fb37158025c8216e96a9e0cbd0b7e03e1e
Author: Peter Krempa <pkrempa>
Date: Tue Jun 11 16:38:02 2019 +0200
qemu: domain: Allow forcing images to read-write in qemuDomainStorageSourceAccessAllow
In commit 76b9aba2ba6 I refactored how the function treats the readonly
flag which introduced a bug when we'd not allow to force read-write
state for an image.
This created problems with blockjobs where we need to temporarily
force images to have read-write permissions.
Rename QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_READ_ONLY to
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ_ONLY and also introduce
a complement QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ_WRITE which
will allow to force write access.
https://bugzilla.redhat.com/show_bug.cgi?id=1717768
Signed-off-by: Peter Krempa <pkrempa>
Reviewed-by: Ján Tomko <jtomko>
commit 9961e7799a6943655e5a976e62e789deded576ef
Author: Peter Krempa <pkrempa>
Date: Tue Jun 11 15:16:09 2019 +0200
qemu: domain: Fix logic bug in qemuDomainStorageSourceAccessAllow
In commit 76b9aba2ba6 I tried to refactor qemuDomainStorageSourceAccessAllow
but used wrong operators for adding bitwise flags.
This way the flags would result in 0 if any of them would be applied.
Signed-off-by: Peter Krempa <pkrempa>
Reviewed-by: Ján Tomko <jtomko>
verified by the auto job with following pkgs: libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64 qemu-kvm-4.0.0-4.module+el8.1.0+3523+b348b848.x86_64 kernel-4.18.0-107.el8.x86_64 selinux-policy-3.14.3-9.el8.noarch libcgroup-0.41-19.el8.x86_64 systemd-239-15.el8.x86_64 dnsmasq-2.79-4.el8.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3723 |
Created attachment 1577795 [details] libvirtd debug log Description of problem: blockcommit failed due to permission deny when selinux in Enforcing mode versions: (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# rpm -qa | egrep "libvirt-5|qemu-kvm-4|selinux|kernel-4" selinux-policy-3.14.3-8.el8.noarch libselinux-2.9-1.el8.x86_64 libselinux-utils-2.9-1.el8.x86_64 qemu-kvm-4.0.0-3.module+el8.1.0+3265+26c4ed71.x86_64 libvirt-5.4.0-1.module+el8.1.0+3304+7eb41d5f.x86_64 selinux-policy-targeted-3.14.3-8.el8.noarch kernel-4.18.0-94.el8.x86_64 How reproducible: 100% Steps to Reproduce: 1. have a running vm (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# virsh start vm1 Domain vm1 started (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# ll -Z total 780224 -rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c438,c643 798949376 Jun 6 03:16 jeos-27-x86_64.qcow2 (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# virsh domblklist vm1 Target Source -------------------------------------------------------- vda /var/lib/libvirt/images/jeos-27-x86_64.qcow2 2. create a snapshot for its vda (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# virsh snapshot-create-as vm1 snap1 --disk-only vda,snapshot=external,file=/var/lib/libvirt/images/vm1.snap1 Domain snapshot snap1 created (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# ll -Z total 780420 -rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c438,c643 798949376 Jun 6 03:16 jeos-27-x86_64.qcow2 -rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c438,c643 196768 Jun 6 03:16 jeos-27-x86_64.snap1 3. do the blockcommit to merge the snapshot, failed as follow: (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# virsh blockcommit vm1 vda --wait --verbose --active --pivot error: internal error: unable to execute QEMU command 'block-commit': Could not reopen file: Permission denied (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# ll -Z total 780420 -rw-r--r--. 1 qemu qemu system_u:object_r:virt_content_t:s0 798949376 Jun 6 03:16 jeos-27-x86_64.qcow2 -rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c438,c643 196768 Jun 6 03:16 jeos-27-x86_64.snap1 4. if set selinux to Permissive mode, blockcommit could work: (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# setenforce 0 (.libvirt-ci-venv-ci-runtest-L7pPd9) [root@jslave-libvirt-rhel-8 images]# virsh blockcommit vm1 vda --wait --verbose --active --pivot Block commit: [100 %] Successfully pivoted Actual results: blockcommit failed due to permission denied if set selinux to Enforcing mode Expected results: blockcommit should work well Additional info: not reproduced in previous versions