Bug 1788096
| Summary: | virt-install - unable to set security context 'system_u:object_r:virt_content_t:s0' on '/home/test/.cache/virt-manager/boot/virtinst-pqiulxvu-vmlinuz' | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Vera Budikova <vbudikov> | ||||
| Component: | libvirt | Assignee: | Fabiano Fidêncio <fidencio> | ||||
| Status: | CLOSED ERRATA | QA Contact: | yafu <yafu> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 8.2 | CC: | chhu, dyuan, fidencio, jdenemar, juzhou, lmen, mkletzan, mzhan, rbalakri, tzheng, xiaodwan, xuzhang | ||||
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
||||
| Target Release: | 8.2 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | libvirt-4.5.0-39.el8 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1793937 (view as bug list) | Environment: | |||||
| Last Closed: | 2020-04-28 15:33:39 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1793937 | ||||||
| Attachments: |
|
||||||
|
Comment 1
zhoujunqin
2020-01-07 02:20:16 UTC
Created attachment 1650315 [details]
debug log
It seems, that it is broken via this command: virt-install --location ~/Downloads/RHEL-8.2.0-20191219.0-x86_64-dvd1.iso --unattended profile=jeos,admin-password-file=/tmp/admin-password-file,user-password-file=/tmp/user-password-file --debug
I have tried only this 2 TCs:
- virt-install, using the following command lines:
- virt-install --location /path/to/RHEL-8.2-dvd1.ISO --unattended profile=desktop
- virt-install --location /path/to/RHEL-8.2-boot.ISO --unattended profile=jeos,admin-password-file=/tmp/admin-password-file,user-password-file=/tmp/user-password-file
The log is attached - there are following commands logged:
virt-install --location ~/Downloads/RHEL-8.2.0-20191219.0-x86_64-dvd1.iso --unattended profile=desktop --debug
virt-install --location ~/Downloads/RHEL-8.2.0-20191219.0-x86_64-dvd1.iso --unattended profile=jeos,admin-password-file=/tmp/admin-password-file,user-password-file=/tmp/user-password-file --debug
virt-install --location ~/Downloads/RHEL-8.2.0-20191219.0-x86_64-dvd1.iso --unattended profile=desktop --debug
I did more tests with older RHEL - 7 and it works ok. When I am installing RHEL8.2, it shows ERROR unable to set security context 'system_u:object_r:virt_content_t:s0' on '/home/test/.cache/virt-manager/boot/virtinst-6yfrr_mi-vmlinuz': No such file or directory. It was with following command in latest test: virt-install --location RHEL-8.2.0-20200109.n.1-x86_64-dvd1.iso --unattended profile=desktop Steps: 1. virt-install --location RHEL-8.1.0-20191015.0-x86_64-dvd1.iso --unattended profile=jeos,admin-password-file=/tmp/admin-password-file,user-password-file=/tmp/user-password-file --debug 2. Repeat step 1 3. virt-install --location RHEL-8.2.0-20200109.n.1-x86_64-dvd1.iso --unattended profile=desktop Results: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/home/test/.cache/virt-manager/boot/virtinst-6yfrr_mi-vmlinuz': No such file or directory. It seems that problem appears in next installations, no in the first. Věra,
The error is set and reported by libvirt itself, as shown in the debug log:
```
[Tue, 07 Jan 2020 02:34:55 virt-install 28007] DEBUG (cli:263) File "/usr/share/virt-manager/virt-install", line 1009, in <module>
sys.exit(main())
File "/usr/share/virt-manager/virt-install", line 1003, in main
start_install(guest, installer, options)
File "/usr/share/virt-manager/virt-install", line 690, in start_install
fail(e, do_exit=False)
File "/usr/share/virt-manager/virtinst/cli.py", line 263, in fail
log.debug("".join(traceback.format_stack()))
[Tue, 07 Jan 2020 02:34:55 virt-install 28007] ERROR (cli:264) unable to set security context 'system_u:object_r:virt_content_t:s0' on '/home/test/.cache/virt-manager/boot/virtinst-3en9fsx9-vmlinuz': No such file or directory
[Tue, 07 Jan 2020 02:34:55 virt-install 28007] DEBUG (cli:266)
Traceback (most recent call last):
File "/usr/share/virt-manager/virt-install", line 681, in start_install
domain.create()
File "/usr/lib64/python3.6/site-packages/libvirt.py", line 1080, in create
if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirt.libvirtError: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/home/test/.cache/virt-manager/boot/virtinst-3en9fsx9-vmlinuz': No such file or directory
[Tue, 07 Jan 2020 02:34:59 virt-install 28007] DEBUG (cli:278) Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///session start rhel8.2-3
otherwise, please restart your installation.
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///session start rhel8.2-3
otherwise, please restart your installation.
```
I'd like to ask what's the libvirt and libvirt-python version being used.
rhvirt-patches: - http://post-office.corp.redhat.com/archives/rhvirt-patches/2020-January/msg00349.html Fabiano, ok. I think this command is problematic: virt-install --location /path/to/RHEL-8.2-boot.ISO --unattended profile=jeos,admin-password-file=/tmp/admin-password-file,user-password-file=/tmp/user-password-file Have you tried this one? Hi Martin,
I tested with libvirt-4.5.0-40.module+el8.2.0+5761+d16d25e7.x86_64 and it seems can not trigger the EPERM errno.
As patch said "However, don't claim error if SELinux is in Enforcing mode and we are running as unprivileged user and we really did see EPERM"
Could you help to check that please?
Thanks a lot.
Test steps:
1.Using non-root user to create a guest with image not exist:
#cat test.xml
...
<os>
<type arch="x86_64" machine="q35">hvm</type>
<kernel>/home/yafu/.cache/virt-manager/boot/virtinst-xyiwlif5-vmlinuz</kernel>
<initrd>/home/yafu/.cache/virt-manager/boot/virtinst-llbmyjxd-initrd.img</initrd>
<cmdline>ks=file:/rhel.ks</cmdline>
</os>
...
$ virsh create test.xml
error: Failed to create domain from test.xml
error: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/home/yafu/.cache/virt-manager/boot/virtinst-xyiwlif5-vmlinuz': No such file or directory
2.Using non-root user to create a guest with image can not access by the non-root user:
#cat test.xml
...
<os>
<type arch='x86_64' machine='pc-q35-rhel8.2.0'>hvm</type>
<kernel>/root/virtinst-xyiwlif5-vmlinuz</kernel>
<initrd>/root/virtinst-llbmyjxd-initrd.img</initrd>
<cmdline>ks=file:/rhel.ks</cmdline>
<boot dev='hd'/>
</os>
...
#virsh create test.xml
error: Failed to create domain from test.xml
error: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/root/virtinst-xyiwlif5-vmlinuz': Permission denied
yafu, Although the patch came from Martin, I was the person dealing with the issue and who proposed the backport of the patch. Please, I'd like to ask you to sync with Věra Cholasta on how to verify this bug (or not, or maybe just use a SanityCheck?), as she was the one who was able to reproduce the issue and the one who tested this patch as well. I'm setting the needinfo to Věra. (In reply to Fabiano Fidêncio from comment #13) > yafu, > > Although the patch came from Martin, I was the person dealing with the issue > and who proposed the backport of the patch. > > Please, I'd like to ask you to sync with Věra Cholasta on how to verify this > bug (or not, or maybe just use a SanityCheck?), as she was the one who was > able to reproduce the issue and the one who tested this patch as well. > > I'm setting the needinfo to Věra. Ok and thanks for your info. Verified with libvirt-daemon-6.0.0-10.el8.x86_64.
#vim /usr/src/debug/libvirt-6.0.0-10.virtcov.el8.x86_64/src/security/security_selinux.c
1281 if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP &&
1282 setfilecon_errno != EROFS) {
1283 VIR_WARNINGS_RESET
1284 /* However, don't claim error if SELinux is in Enforcing mode and
1285 * we are running as unprivileged user and we really did see EPERM.
1286 * Otherwise we want to return error if SELinux is Enforcing. */
1287 if (security_getenforce() == 1 &&
1288 (setfilecon_errno != EPERM || privileged)) {
1289 virReportSystemError(setfilecon_errno,
1290 _("unable to set security context '%s' on '%s'"),
1291 tcon, path);
1292 return -1;
1293 }
1294 VIR_WARN("unable to set security context '%s' on '%s' (errno %d)",
1295 tcon, path, setfilecon_errno);
1296 } else {
1297 const char *msg;
Could see the patch in comment#7 is merged.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1587 |