Bug 731243
| Summary: | Migration failed with unable to execute QEMU command 'getfd' | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | yanbing du <ydu> |
| Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.2 | CC: | acathrow, dyuan, gren, jdenemar, mzhan, rwu, veillard, weizhan |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-0.9.4-6.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 11:49:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 732417 | ||
| Bug Blocks: | |||
|
Description
yanbing du
2011-08-17 06:49:39 UTC
The operation is denied by SELinux since the socket we pass from libvirtd to qemu is not correctly labeled:
avc: denied { read write } for pid=10369 comm="qemu-kvm" path="socket:[91003]" dev=sockfs ino=91003 scontext=system_u:system_r:svirt_t:s0:c54,c853 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=tcp_socket
And BTW, the libvirt version which doesn't work is libvirt-0.9.4-4.el6.x86_64
Sorry for the wrong libvirt version. Should be: libvirt-0.9.4-4.el6.x86_64 qemu-kvm-0.12.1.2-2.183.el6 kernel-2.6.32-188.el6 I fixed libvirt to set correct label on the tcp socket passed to qemu but this attempt was denied by SELinux. So now the error when trying to migrate a domain is
error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c54,c853' on fd 22: Permission denied
and the following two messages appear in audit.log:
type=AVC msg=audit(1314013212.316:93716): avc: denied { relabelto } for pid=19499 comm="libvirtd" name="" dev=sockfs ino=636054 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c54,c853 tclass=tcp_socket
type=SYSCALL msg=audit(1314013212.316:93716): arch=c000003e syscall=190 success=no exit=-13 a0=16 a1=3ea2216239 a2=7f64441a43f0 a3=2c items=0 ppid=1 pid=19499 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
Since we think SELinux shouldn't deny this, I filed bug 732417 for selinux-policy.
Patches that label the TCP socket in a correct way (and do not need any change in selinux-policy) were sent upstream: https://www.redhat.com/archives/libvir-list/2011-August/msg01312.html Series sent to rhvirt-patches: http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-August/msg00657.html verify pass on kernel-2.6.32-191.el6.x86_64 qemu-kvm-0.12.1.2-2.184.el6.x86_64 libvirt-0.9.4-6.el6.x86_64 migration can succeed with no error But when test migration with --tunnelled flag, it failed with the same error. Do we need to report a new bug or just reassign this bug? (In reply to comment #11) > But when test migration with --tunnelled flag, it failed with the same error. > Do we need to report a new bug or just reassign this bug? we will report a new bug about it. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html |