Bug 1748079

Summary: regression: can't start previously working VM's, libvirtd internal error 'Setting different SELinux label on ... which is already in use'
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: agedosier, berrange, cagney, clalancette, crobinso, dwalsh, itamar, jforbes, laine, libvirt-maint, lvrabec, mgrepl, plautrba, richard.poettler, veillard, virt-maint, zbyszek, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-5.6.0-2.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-18 00:02:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journal none

Description Chris Murphy 2019-09-02 17:05:06 UTC 
Description of problem:

I'm trying to start a VM which had been working fine.


Sep 02 10:49:28 fmac.local libvirtd[1939]: internal error: child reported (status=125): Requested operation is not valid: Setting different SELinux label on /var/lib/libvirt/images/untitled.qcow2 which is already in use

-rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c443,c550     198656 Aug 31 19:57 untitled.qcow2

Restorecon won't fix it. Resetting it with chcon to system_u:object_r:virt_image_t:s0 didn't work. And there are no AVC denials. But the last thing I did before this started happening was a complete relabel and reboot.

Delete that file and create it from scratch instead. And now I get.


Sep 02 10:50:51 fmac.local libvirtd[1939]: internal error: child reported (status=125): Requested operation is not valid: Setting different SELinux label on /var/lib/libvirt/qemu/nvram/uefivm_VARS.fd which is already in use

-rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c443,c550 131072 Aug 31 20:46 /var/lib/libvirt/qemu/nvram/uefivm_VARS.fd

This system has been rebooted, and libvirtd has been restarted, and it still complains. It's not in use, except possibly by itself.



Version-Release number of selected component (if applicable):
libvirt-daemon-5.6.0-1.fc31.x86_64
selinux-policy-3.14.4-31.fc31.noarch


How reproducible:
Always so far
Comment 1 Chris Murphy 2019-09-02 17:05:55 UTC 
Created attachment 1610840 [details]
journal
Comment 2 Chris Murphy 2019-09-02 17:10:01 UTC 
Rebooting with 'enforcing=0' does not fix the problem.
Comment 3 Chris Murphy 2019-09-02 17:18:48 UTC 
Rebooting with 'selinux=0' fixes this problem. Rebooting with selinux enabled and enforcing, it relabels, but now I can't launch the VM again.

There is a report on the users@ list, happening on Fedora 29.
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/DXGONPQYZ325IT5XJLQMBCQOD2FKUGQD/
Comment 4 Cole Robinson 2019-09-03 16:08:41 UTC 
This is a libvirt issue. In v5.6.0 we enabled a new feature that tries to remember the source selinux label of the image. However there were some bugs that should be fixed in v5.7.0 which is coming shortly. In the meantime you can disable the feature entirely by setting remember_owner=0 in /etc/libvirt/qemu.conf and restarting libvirtd.

That users@ email looks like the same issue, but this doesn't affect stock Fedora versions, so I'm guessing he is using the virt-preview copr repo
Comment 5 Zbigniew Jędrzejewski-Szmek 2019-09-11 09:38:16 UTC 
I'm seeing this too (libvirt-daemon-5.6.0-1.fc31.x86_64). I'll try the work-around.
Comment 6 Fedora Update System 2019-09-11 13:22:33 UTC 
FEDORA-2019-f415c367b9 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f415c367b9
Comment 7 Fedora Update System 2019-09-11 15:37:40 UTC 
libvirt-5.6.0-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f415c367b9
Comment 8 Chris Murphy 2019-09-11 17:39:05 UTC 
Bodhi says it's been pushed to testing, but it's not showing up in u-t even after a refresh.
Comment 9 Fedora Update System 2019-09-18 00:02:48 UTC 
libvirt-5.6.0-2.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.