| Summary: | virt-install:set static security label not take effect for guest | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | zhe peng <zpeng> |
| Component: | python-virtinst | Assignee: | Cole Robinson <crobinso> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | dyuan, hjiang, mzhan, nzhang |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
Specifying a static selinux label via virt-install did not build a correct guest configuration.
Consequence:
The static selinux label did not take effect for the guest.
Fix:
Generate correct configuration
Result:
Static labels work
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 16:16:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Please provide the output of virt-install --debug (also please do so for any future virt-* bug reports) Actually, I can reproduce, so no need for --debug output Fixed upstream: http://git.fedorahosted.org/git?p=python-virtinst.git;a=commit;h=7d13024da60ad9f7b2123783a71ed061721c3793 Fixed in python-virtinst-0.600.0-1.el6 Could still reproduce this bug in the following componets: python-virtinst-0.600.0-1.el6. libvirt-0.9.4-0rc1.el6.x86_64 kernel-2.6.32-171.el6.x86_64 qemu-kvm-0.12.1.2-2.174.el6.x86_64 How reproducible: always Steps to Reproduce: # virt-install -n demo -r 512 -f /var/lib/libvirt/images/demo.img -s 5 -c /dev/cdrom --security type=static,label='system_u:object_r:svirt_image_t:s0:c100,c200' Starting install... ERROR internal error Process exited while reading console log output: libvir: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///system start demo otherwise, please restart your installation. (In reply to comment #6) > Could still reproduce this bug in the following componets: > python-virtinst-0.600.0-1.el6. > libvirt-0.9.4-0rc1.el6.x86_64 > kernel-2.6.32-171.el6.x86_64 > qemu-kvm-0.12.1.2-2.174.el6.x86_64 > How reproducible: > always > > Steps to Reproduce: When i reproduced this bug use the above packages, I met the following problem, so whether this bug has been fixed or not is unknown for me(Sorry for comment 6 ). The following error message is a new problem about this bug. So set the bug status to ASSIGNED. > > # virt-install -n demo -r 512 -f /var/lib/libvirt/images/demo.img -s 5 -c > /dev/cdrom --security > type=static,label='system_u:object_r:svirt_image_t:s0:c100,c200' > > Starting install... > ERROR internal error Process exited while reading console log output: > libvir: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied > > Domain installation does not appear to have been successful. > If it was, you can restart your domain by running: > virsh --connect qemu:///system start demo > otherwise, please restart your installation. The initial report said that even if the user specified --security type=static we would still generate XML with type=dynamic. You should be able to confirm that virt-install did the correct thing by specifying --debug and checking that the generated XML has <seclabel type='static' in it. That said, there might be other issues here, but those would be separate bugs. verified with the following components:
python-virtinst-0.600.0-2.el6.noarch
libvirt-0.9.4-0rc1.2.el6.x86_64
qemu-kvm-0.12.1.2-2.175.el6.x86_64
kernel-2.6.32-171.el6.x86_64
Steps:
1.chcon system_u:object_r:svirt_image_t:s0:c100,c200 /var/lib/libvirt/images/test.img
2. virt-install -n test -r 512 -f /var/lib/libvirt/images/test.img --import --security type=static,label='system_u:system_r:svirt_t:s0:c100,c200' --debug
...
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_t:s0:c100,c200</label>
</seclabel>
...
3. virsh dumpxml test
...
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_t:s0:c100,c200</label>
</seclabel>
...
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause:
Specifying a static selinux label via virt-install did not build a correct guest configuration.
Consequence:
The static selinux label did not take effect for the guest.
Fix:
Generate correct configuration
Result:
Static labels work
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1643.html |
Description of problem: set static security label not take effect for guest Version-Release number of selected component (if applicable): python-virtinst-0.500.5-3.el6.noarch How reproducible: always Steps to Reproduce: 1.# virt-install -n demo -r 512 -f /tmp/img/rhel6_x86_64_qcow2.img --import --security type=static,label='system_u:object_r:svirt_image_t:s0:c100,c200' 2.#virsh dumpxml demo Actual results: ........ <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c67,c414</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c67,c414</imagelabel> </seclabel> ........ Expected results: security type should be 'static', and the label is same with settings by user. Additional info: