Bug 731243
Summary: | Migration failed with unable to execute QEMU command 'getfd' | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | yanbing du <ydu> |
Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.2 | CC: | acathrow, dyuan, gren, jdenemar, mzhan, rwu, veillard, weizhan |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | libvirt-0.9.4-6.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 11:49:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 732417 | ||
Bug Blocks: |
Description
yanbing du
2011-08-17 06:49:39 UTC
The operation is denied by SELinux since the socket we pass from libvirtd to qemu is not correctly labeled: avc: denied { read write } for pid=10369 comm="qemu-kvm" path="socket:[91003]" dev=sockfs ino=91003 scontext=system_u:system_r:svirt_t:s0:c54,c853 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=tcp_socket And BTW, the libvirt version which doesn't work is libvirt-0.9.4-4.el6.x86_64 Sorry for the wrong libvirt version. Should be: libvirt-0.9.4-4.el6.x86_64 qemu-kvm-0.12.1.2-2.183.el6 kernel-2.6.32-188.el6 I fixed libvirt to set correct label on the tcp socket passed to qemu but this attempt was denied by SELinux. So now the error when trying to migrate a domain is error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c54,c853' on fd 22: Permission denied and the following two messages appear in audit.log: type=AVC msg=audit(1314013212.316:93716): avc: denied { relabelto } for pid=19499 comm="libvirtd" name="" dev=sockfs ino=636054 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c54,c853 tclass=tcp_socket type=SYSCALL msg=audit(1314013212.316:93716): arch=c000003e syscall=190 success=no exit=-13 a0=16 a1=3ea2216239 a2=7f64441a43f0 a3=2c items=0 ppid=1 pid=19499 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) Since we think SELinux shouldn't deny this, I filed bug 732417 for selinux-policy. Patches that label the TCP socket in a correct way (and do not need any change in selinux-policy) were sent upstream: https://www.redhat.com/archives/libvir-list/2011-August/msg01312.html Series sent to rhvirt-patches: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-August/msg00657.html verify pass on kernel-2.6.32-191.el6.x86_64 qemu-kvm-0.12.1.2-2.184.el6.x86_64 libvirt-0.9.4-6.el6.x86_64 migration can succeed with no error But when test migration with --tunnelled flag, it failed with the same error. Do we need to report a new bug or just reassign this bug? (In reply to comment #11) > But when test migration with --tunnelled flag, it failed with the same error. > Do we need to report a new bug or just reassign this bug? we will report a new bug about it. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html |