Bug 688853

Summary: PCI devices resource's sVirt label is different as set in virt-manager Security page.
Product: [Community] Virtualization Tools Reporter: wangyimiao <yimwang>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: crobinso, dyuan, eblake, tools-bugs, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-23 12:17:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description wangyimiao 2011-03-18 09:06:04 UTC 
Description of problem:
PCI devices resource's sVirt label is different as set in virt-manager Security page.

Version-Release number of selected component (if applicable):
libvirt-0.8.7-13.el6.x86_64
qemu-img-0.12.1.2-2.150.el6.x86_64
qemu-kvm-0.12.1.2-2.150.el6.x86_64
virt-manager-0.8.6-3.el6.noarch
kernel-2.6.32-122.el6.x86_64
selinux-policy-targeted-3.7.19-78.el6.noarch

How reproducible:
5/5

Steps to Reproduce:
1.Prepare an VM which is not running .
#setenforce 1

2.Issue "virt-manager" to open virt-manager UI.

3.Select the existing VM, then "open" -> "details" -> "Overview" -> "Security"

4.Select "static" option, then specify a label,and apply it.

such as: "system_u:system_r:svirt_t:s0:c100,c200"

5.Change context of guest image file, such as:

# chcon system_u:object_r:svirt_image_t:s0:c100,c200 /var/lib/libvirt/images/nfs_test.img

6.Check the NIC node device.

#  virsh nodedev-list --tree|more
computer
 |
  +- net_lo_00_00_00_00_00_00
  +- net_virbr0_nic_52_54_00_f6_8a_ba
  +- net_vnet0_fe_54_00_ae_6e_74
  +- pci_0000_00_00_0
  +- pci_0000_00_01_0
  |   |
  |   +- pci_0000_01_00_0
  |     
  +- pci_0000_00_03_0
  +- pci_0000_00_03_2
  +- pci_0000_00_03_3
  +- pci_0000_00_19_0
  |   |
  |   +- net_eth0_00_21_9b_7d_f9_71
  |     
.....................................

7.Add the following lines to domain xml.

<hostdev mode='subsystem' type='pci' managed='yes'>
 <source>
  <address bus='0' slot='0x19' function='0'/>
 </source>
</hostdev>

8. Start the vm

9. Check svirt label of the qemu-kvm process.
# ps -efZ|grep qemu-kvm
system_u:system_r:svirt_t:s0:c100,c200 qemu 4227   1 35 11:46 ?      
................................

10.Check the context of pci device is the same as the context of qemu-kvm process
# ll -Z /sys/bus/pci/devices/0000:00:19.0/resource
-r--r--r--. qemu qemu system_u:object_r:sysfs_t:s0     /sys/bus/pci/devices/0000:00:19.0/resource

  
Actual results:
PCI devices resource's sVirt label is different as set in virt-manager Security page.

Expected results:
PCI devices resource's sVirt label should be same as set in virt-manager Security page.
Comment 1 RHEL Program Management 2011-04-04 02:06:31 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 4 Cole Robinson 2016-03-23 12:17:10 UTC 
virt-manager doesn't have a security page anymore, and I suspect this is long since fixed, so closing