Bug 678995

Summary: Can not restore domain from root_squashing nfs export even if qemu gid matches nfs
Product: Red Hat Enterprise Linux 6 Reporter: wangyimiao <yimwang>
Component: libvirtAssignee: Laine Stump <laine>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dyuan, eblake, gren, jyang, laine, llim, xen-maint
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-22 06:54:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description wangyimiao 2011-02-21 08:49:06 UTC 
Description of problem:
Can not restore domain from root_squashing nfs export even if qemu gid matches nfs

Version-Release number of selected component (if applicable):
libvirt-0.8.7-7.el6.x86_64
qemu-kvm-0.12.1.2-2.145.el6.x86_64
qemu-img-0.12.1.2-2.145.el6.x86_64
kernel-2.6.32-113.el6.x86_64

How reproducible:
5/5

Steps to Reproduce:

On nfs server:
1. Create a shared directory
# mkdir /tmp/test
2. Set ownership to vdsm:qemu
# chown 501:107 /tmp/test/
# chmod 775 /tmp/test/
3. check exports file:
# cat /etc/exports
/tmp/test *(rw,root_squash,async)

On RHEL6.1 client:
1. setsebool -P virt_use_nfs 1
2. Start a domain with "qemu" user.
3. Mount the nfs shared directory.
# mount -o vers=3 10.66.93.159:/tmp/test /mnt/ddd
# ll -d /mnt/ddd
drwxrwxr-x. 2 vsdm qemu 4096 Feb 18 09:18 /mnt/ddd
4. Save the domain to /mnt/ddd/saved
# virsh save rhel6 /mnt/ddd/saved
Domain rhel6 saved to /mnt/ddd/saved
5. Restore the domain
# virsh restore  /mnt/ddd/saved
error: Failed to restore domain from /mnt/ddd/saved
error: cannot close file: Bad file descriptor
  
Actual results:
Can not restore domain from root_squashing nfs export even if qemu gid matches nfs.

Expected results:
Restore should be successful.

Additional info:
NOTE:If run command "setenforce 0" in client host ,restore will be successful.
1.# setenforce 0
2.# virsh restore  /mnt/ddd/saved
Domain restored from /mnt/ddd/saved
Comment 1 Laine Stump 2011-02-21 15:26:14 UTC 
Please post the version of selinux-policy on the machine, as well as the AVCs that are issued (leave setenforce 0 so we can see the entire list). I'm still suspicious that this is the same as Bug 667756, which was fixed by both a libvirt change and an selinux-policy change.
Comment 2 Osier Yang 2011-02-22 06:07:22 UTC 
[root@dhcp-93-206 ~]# ausearch -m avc
----
time->Tue Feb 22 05:53:49 2011
type=SYSCALL msg=audit(1298372029.770:46679): arch=c000003e syscall=190 success=no exit=-13 a0=19 a1=7f15a3108d59 a2=7f157c000920 a3=2d items=0 ppid=1 pid=16996 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1298372029.770:46679): avc:  denied  { relabelfrom } for  pid=16996 comm="libvirtd" name="" dev=pipefs ino=517095 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file
----
time->Tue Feb 22 05:55:40 2011
type=SYSCALL msg=audit(1298372140.450:46695): arch=c000003e syscall=190 success=yes exit=0 a0=19 a1=7f15a3108d59 a2=7f1584013e10 a3=2d items=0 ppid=1 pid=16995 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1298372140.450:46695): avc:  denied  { relabelfrom } for  pid=16995 comm="libvirtd" name="" dev=pipefs ino=530904 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file
Comment 3 wangyimiao 2011-02-22 06:13:10 UTC 
Selinux version:
1.
[root@dhcp-93-206 images]# rpm -qa|grep selinux
libselinux-2.0.94-2.el6.x86_64
libselinux-utils-2.0.94-2.el6.x86_64
selinux-policy-3.7.19-67.el6.noarch
libselinux-python-2.0.94-2.el6.x86_64
selinux-policy-targeted-3.7.19-67.el6.noarch
Comment 4 Osier Yang 2011-02-22 06:35:50 UTC 
Your selinux-policy doesn't contains the change mentioned by @laine in #c2, (Note that the change was included since selinux-policy-3.7.19-68). So please update selinux-policy and try again.
Comment 5 wangyimiao 2011-02-22 06:54:24 UTC 
Follow comment 4 , the restore issue was not exists.So i will closed it as "not a bug".