Bug 675440
Summary: | SELinux is preventing /usr/bin/virsh from using the 'setpcap' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | thomas |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 14 | CC: | berrange, clalance, crobinso, dwalsh, itamar, jforbes, mgrepl, veillard, virt-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:83d940995909ab9ff5eb100ae18e777dd0899516fdaefd6d41ea037059c91a2c | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-01-24 21:52:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
thomas
2011-02-05 17:16:28 UTC
Issuing a "clusvcadm -M vm:<name> -m <target>" results in the setpcap denial reported at the beginning of the migration process (starting the source target qemu instance). The denial does not occur if the live migration is performed using the "# virsh migrate --live" command. The denial does not appear to prevent the migration from completing. This indicates that virsh is dropping capabilities? Daniel does it drop capabilities now? virsh itself doesn't drop capabilities, but if it forks a helper program, there may be cases where it drops capabilities inbetween the fork+exec path. I can't remember if there are any such cases in virsh offhand though. What libvirt driver URI is being used by clusvcadm ? It would help to get a debug trace by setting the env variables LIBVIRT_LOG_FILTERS="1:libvirt 1:util" LIBVIRT_LOG_OUTPUTS="1:file:/var/log/libvirt/virsh.log" in clusvcadm when issuing the virsh commands. I attempted to set the env variables in the shell where I executed the clusvcadm command, but got no output to a log file in /var/log/libvirt: [root ~]# export LIBVIRT_LOG_FILTERS="1:libvirt 1:util" [root ~]# export LIBVIRT_LOG_OUTPUTS="1:file:/var/log/libvirt/virsh.log" [root ~]# env | grep LIBVIRT LIBVIRT_LOG_FILTERS=1:libvirt 1:util LIBVIRT_LOG_OUTPUTS=1:file:/var/log/libvirt/virsh.log [root ~]# clusvcadm -M vm:vm1 -m host2 Trying to migrate vm:vm1 to host2...Success [root ~]# clusvcadm -M vm:vm1 -m host1 Trying to migrate vm:vm1 to host1...Success [root ~]# ls -lart /var/log/libvirt/ total 20 drwx------. 2 root root 4096 Aug 23 17:32 uml drwx------. 2 root root 4096 Aug 23 17:32 lxc drwx------. 5 root root 4096 Jan 31 01:02 . drwx------. 2 root root 4096 Jan 31 15:28 qemu drwxr-xr-x. 19 root root 4096 Feb 6 03:12 .. [root ~]# The alert says /usr/bin/virsh executed the prctl syscall resulting in a setpcap access check. Since it has setcap already I thine we should add setpcap. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. F14 is EOL, please reopen if this is still relevant in a more recent fedora. |