Bug 507555

Summary: libvirt starting a guest with ISO on NFS mount fails when unnecessarily setting SELinux file context
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: berrange, clalance, crobinso, gczarcinski, itamar, kdudka, markmc, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.6.2-13.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-27 21:27:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 480594    
Attachments:
Description Flags
libvirt-0.6.2-unnecessary-setfilecon.patch
none
qemu log none

Description Tim Waugh 2009-06-23 10:11:12 UTC 
Created attachment 349074 [details]
libvirt-0.6.2-unnecessary-setfilecon.patch

Description of problem:
When installing a new image from an ISO image on an nfs mount, the operation fails and I get this error in /var/log/messages:

error : SELinuxSetFilecon: unable to set security context 'system_u:object_r:virt_content_t:s0' on /mnt/nfsmount/Fedora-11-x86_64-DVD/Fedora-11-x86_64-DVD.iso: Operation not supported.

However, the /mnt/nfsmount partition was mounted with this option:
context="system_u:object_r:virt_content_t:s0"

So it is failing to do something it doesn't need to do.

Here is a patch to spot this condition and prevent failure.

Version-Release number of selected component (if applicable):
libvirt-0.6.2-9.fc11

How reproducible:
100%

Steps to Reproduce:
1.Mount nfs directory as above.
2.Attempt to install new VM from ISO image.
  
Actual results:
Fails.

Expected results:
Succeeds.

Additional info:
Patch which works for me attached, which compares the existing SELinux file context to the one we want it to be if we failed to set it.
Comment 1 Daniel Veillard 2009-06-23 13:03:19 UTC 
Makes sense to me, I forwarded the patch to the list for review,

 thanks !

Daniel
Comment 2 Mark McLoughlin 2009-07-03 09:48:53 UTC 
Re-posted here:

  http://www.redhat.com/archives/libvir-list/2009-July/msg00049.html
Comment 3 Mark McLoughlin 2009-07-03 09:59:32 UTC 
Added to rawhide:

* Fri Jul  3 2009 Mark McLoughlin <markmc> - 0.6.4-3.fc12
- Don't unnecessarily try to change a file context (bug #507555)

Will build for F-11 too
Comment 4 Mark McLoughlin 2009-07-03 10:09:55 UTC 
F-11:

* Fri Jul  3 2009 Mark McLoughlin <markmc> - 0.6.2-13.fc11
- Don't unnecessarily try to change a file context (bug #507555)
Comment 5 Kamil Dudka 2009-07-03 13:01:39 UTC 
Created attachment 350421 [details]
qemu log

libvirt-0.6.2-13.fc11.x86_64 does not solve the problem for me, log attached. I just updated the libvirt package and restarted libvirtd service. Originally reported here: https://bugzilla.redhat.com/show_bug.cgi?id=499933#c4
Comment 6 Kamil Dudka 2009-07-03 13:05:11 UTC 
(In reply to comment #5)
# file /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
/mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso: ISO 9660 CD-ROM filesystem data 'RHEL/5.3 x86_64 DVD            ' (bootable)

# ls -Z /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
-rw-rw-r--. 444 444 system_u:object_r:nfs_t:s0       /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
Comment 7 Fedora Update System 2009-07-11 17:05:25 UTC 
libvirt-0.6.2-13.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libvirt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7449
Comment 8 Kamil Dudka 2009-07-11 18:06:19 UTC 
(In reply to comment #6)
> -rw-rw-r--. 444 444 system_u:object_r:nfs_t:s0      

It didn't work because it has to be mounted with -o context="system_u:object_r:virt_content_t:s0".

Then the update resolves the problem.
Comment 9 Fedora Update System 2009-07-27 21:27:46 UTC 
libvirt-0.6.2-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.