Bug 517157

Summary: libvirt fails to start guest on NFS even when sebool virt_use_nfs is on
Product: [Fedora] Fedora Reporter: David Lutterkort <lutter>
Component: libvirtAssignee: Darryl L. Pierce <dpierce>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 11CC: ajia, apevec, berrange, braden, clalance, crobinso, dpierce, dwalsh, hbrock, hedayatv, itamar, jboggs, markmc, tross, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.6.2-19.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-04 12:38:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 480594    
Attachments:
Description Flags
email to libvir-list with patch none

Description David Lutterkort 2009-08-12 18:58:51 UTC 
Description of problem:

This is a variation on bz 507202


Version-Release number of selected component (if applicable):
libvirt-0.6.2-13.fc11.x86_64
up2date F11 machine

How reproducible:

Steps to Reproduce:
1. setsebool virt_use_nfs true
2. virsh start <some_vm> where VM's disk file lives on NFS directory mounted with default mount options, i.e. with label system_u:object_r:nfs_t:s0
  
Actual results:
virsh eventually complains

  error: Failed to start domain freebsd
  error: internal error Domain freebsd didn't show up

Expected results:
VM started successfully

Additional info:

In /var/log/libvirt/freebsd.log:

LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin /usr/bin/qemu-kvm -S -M pc -cpu qemu32 -m 512 -smp 1 -name freebsd -uuid fc951cd1-d725-75c8-c2f9-e5cffc8c4c9f -monitor pty -pidfile /var/run/libvirt/qemu//freebsd.pid -boot c -drive file=/data/iso/vm-freebsd.raw,if=ide,index=0,boot=on -net nic,macaddr=00:16:3e:78:a2:47,vlan=0 -net tap,fd=19,script=,vlan=0,ifname=vnet5 -serial none -parallel none -usb -vnc 0.0.0.0:2 
libvir: Security Labeling error : SELinuxSetFilecon: unable to set security context 'system_u:object_r:svirt_image_t:s0:c626,c811' on /data/iso/vm-freebsd.raw: Operation not supported.
libvir: QEMU error : internal error Failed to set security label

libvirt shouldn't even attempt to set the SELinux label since (a) the file is on NFS and (b) virt_use_nfs is on
Comment 1 Daniel Veillard 2009-08-12 21:19:01 UTC 
Didn't we fix that with more recent releases, i.e. don't try to relabel
if not needed, I'm pretty sure it should be in 0.7.0

Daniel
Comment 2 David Lutterkort 2009-08-13 17:47:59 UTC 
No, that was a different fix. The logic in the fix was 'if setfilecon fails, and the file already has the right label, ignore the error'

What I am talking about here is for NFS mounts, where the only way to get the right label is to specify it as a mount option; that's very clunky. Instead, SELinux offers a virt_use_nfs boolean which should make it possible to use images stored on NFS. Right now, libvirt gets in the way because it tries to setfilecon even for NFS files, which always fails.

The fix I suggest is to not try to setfilecon if a file is on NFS, and report an error only if the virt_use_nfs boolean is off (or just let SELinux report any problems)
Comment 3 Mark McLoughlin 2009-08-18 12:48:08 UTC 
I'd been telling people to mount with -o context="system_u:object_r:virt_content_t:s0" but that indeed does suck; the virt_use_nfs boolean is much nicer

There's some more discussion on this in bug #496340

danpb notes that we shouldn't fail to start a guest when we're in permissive mode either
Comment 4 Daniel Walsh 2009-08-18 14:14:00 UTC 
I would agree, just let SELinux report the problem and do not try to setfilecon on file systems that do not support xattrs.


You can now tell this in Rawhide by looking for the seclabel field in /proc/mounts.

if seclabel is not in the /proc/mounts field, libvirt should not try to set the label.  Then SELinux will either allow or deny the action.

setfilecon will fail if the mount point does not have this field.  (I believe).
Comment 5 Daniel Berrangé 2009-08-18 14:21:37 UTC 
Rather than groking  /proc/mounts, we can just catch & ignore ENOSYS  errno after setfilecon() call.
Comment 6 Daniel Walsh 2009-08-18 14:48:50 UTC 
Sounds good to me.  Does the kernel return this if you try to set the label on a files system that was setup with a mount context="CONTEXT"
Comment 7 Hugh Brock 2009-08-20 22:36:50 UTC 
Created attachment 358174 [details]
email to libvir-list with patch
Comment 8 Mark McLoughlin 2009-08-21 11:15:21 UTC 
*** Bug 507202 has been marked as a duplicate of this bug. ***
Comment 9 Mark McLoughlin 2009-09-03 16:16:10 UTC 
Here's what got committed:

  http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=777fc2e9d6
Comment 10 Alan Pevec 2009-09-16 10:42:10 UTC 
Included in libvirt-0.7.1-1 (in rawhide/F12 and virt-preview for F11)
Comment 11 Alan Pevec 2009-09-16 10:43:28 UTC 
*** Bug 516430 has been marked as a duplicate of this bug. ***
Comment 12 Mark McLoughlin 2009-09-21 13:11:39 UTC 
bz is against the F11 version, so we still need the fix in F11
Comment 13 Mark McLoughlin 2009-09-23 08:00:52 UTC 
*** Bug 507202 has been marked as a duplicate of this bug. ***
Comment 14 Mark McLoughlin 2009-10-09 10:20:18 UTC 
*** Bug 516430 has been marked as a duplicate of this bug. ***
Comment 15 Fedora Update System 2009-10-19 11:30:18 UTC 
libvirt-0.6.2-19.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/libvirt-0.6.2-19.fc11
Comment 16 Fedora Update System 2009-10-21 00:43:45 UTC 
libvirt-0.6.2-19.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libvirt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-10615
Comment 17 Fedora Update System 2009-11-04 12:37:58 UTC 
libvirt-0.6.2-19.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.