Bug 1772844
| Summary: | Fail to start vm with splited daemons | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Advanced Virtualization | Reporter: | Han Han <hhan> | ||||
| Component: | libvirt | Assignee: | Daniel Berrangé <berrange> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | yafu <yafu> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 8.2 | CC: | chhu, dyuan, jdenemar, lmen, rbalakri, xuzhang, yafu | ||||
| Target Milestone: | rc | Keywords: | TestOnly | ||||
| Target Release: | 8.2 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-01-08 16:53:31 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1745076 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Can you confirm if SELinux is enforcing ? If so, does it work when in poermissive mode (In reply to Daniel Berrangé from comment #1) > Can you confirm if SELinux is enforcing ? > > If so, does it work when in poermissive mode Yes. Works on permissive. The audit log: type=AVC msg=audit(1573883972.564:1092): avc: denied { search } for pid=21582 comm="qemu-kvm" name="21316" dev="proc" ino=282393 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1573883972.564:1093): avc: denied { read } for pid=21582 comm="qemu-kvm" name="cmdline" dev="proc" ino=282489 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.564:1094): avc: denied { open } for pid=21582 comm="qemu-kvm" path="/proc/21316/cmdline" dev="proc" ino=282489 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.564:1095): avc: denied { getattr } for pid=21582 comm="qemu-kvm" path="/proc/21316/cmdline" dev="proc" ino=282489 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.765:1096): avc: denied { search } for pid=19531 comm="virtlogd" name="21316" dev="proc" ino=282393 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1573883972.765:1097): avc: denied { read } for pid=19531 comm="virtlogd" name="stat" dev="proc" ino=282866 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.765:1098): avc: denied { open } for pid=19531 comm="virtlogd" path="/proc/21316/stat" dev="proc" ino=282866 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 Ok, yes, this is becasue the new split daemons don't have selinux policy rules set yet. There should be a new selinux policy in 8.2 that fixes this https://bugzilla.redhat.com/show_bug.cgi?id=1745076 Verified with: libvirt-6.0.0-2.module+el8.2.0+5513+34927b6c.x86_64 selinux-policy-3.14.3-38.el8.noarch Test steps: 1. Stop libvirtd # systemctl stop libvirtd.socket libvirtd 2. Set /etc/libvirt/virtproxyd.conf to gather logs: # cat /etc/libvirt/virtproxyd.conf log_level = 3 log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" log_outputs="1:file:/var/log/libvirt/virtproxyd.log" 3. Start virtlogd virtqemud virtproxyd, then start vm # systemctl start virtqemud virtproxyd virtlogd virtqemud.socket virtproxyd.socket virtlogd.socket 4.Start a guest: #virsh start vm Domain vm started 5.Start virtstoraged service: #systemctl start virtstoraged 6.Destroy default pool: # virsh pool-list Name State Autostart ------------------------------- default active no # virsh pool-destroy default Pool default destroyed 7.Start virtnetworkd service: #systemctl start virtnetworkd 8.Destroy default network: # virsh net-list Name State Autostart Persistent -------------------------------------------- default active yes yes # virsh net-destroy default Network default destroyed 8.Start virtnwfilterd servie: # systemctl start virtnwfilterd 9.Define a nwfilter: # virsh nwfilter-define /root/filter.xml Network filter disallow-arp defined from /root/filter.xml 10.Start virtsecretd service: #systemctl start virtsecretd 11.Define a secret and set value: # virsh secret-define secret.xml Secret 0daa1a35-5599-4a06-8cd1-6a3751912e61 created # virsh secret-list UUID Usage ---------------------------------------------------------------------------------- 0daa1a35-5599-4a06-8cd1-6a3751912e61 volume /var/lib/libvirt/images/rhel6.img # MYSECRET=`echo "red hat" | base64` # virsh secret-set-value 0daa1a35-5599-4a06-8cd1-6a3751912e61 $MYSECRET Secret value set Changing this TestOnly BZ as CLOSED CURRENTRELEASE. Please reopen if the issue is not resolved. |
Created attachment 1636420 [details] vm xml and virtproxyd log Description of problem: As subject Version-Release number of selected component (if applicable): libvirt-5.9.0-2.module+el8.2.0+4683+7e10e783.x86_64 How reproducible: 100% Steps to Reproduce: 1. Stop libvirtd # systemctl stop libvirtd.socket libvirtd 2. Set /etc/libvirt/virtproxyd.conf to gather logs: # cat /etc/libvirt/virtproxyd.conf log_level = 3 log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" log_outputs="1:file:/var/log/libvirt/virtproxyd.log" 3. Start virtlogd virtqemud virtproxyd, then start vm # systemctl start virtqemud virtproxyd virtlogd virtqemud.socket virtproxyd.socket virtlogd.socket # virsh start q35 error: Failed to start domain q35 error: can't connect to virtlogd: Cannot recv data: Connection reset by peer Actual results: As above Expected results: Vm started Additional info: