Bug 734000

Summary:	RFE: static label should use libvirt relabel=yes by default
Product:	[Community] Virtualization Tools	Reporter:	zhe peng <zpeng>
Component:	virt-manager	Assignee:	Cole Robinson <crobinso>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	berrange, bsarathy, crobinso, cwei, jwu, mzhan, xen-maint
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:	733996	Environment:
Last Closed:	2014-01-28 17:08:06 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:	733996
Bug Blocks:

Description zhe peng 2011-08-29 06:59:07 UTC

+++ This bug was initially created as a clone of Bug #733996 +++

Created attachment 520296 [details]
full debug info

Description of problem:
can set relabel option for security driver setting when install vm.


Version-Release number of selected component (if applicable):
python-virtinst-0.600.0-2.el6.noarch
libvirt-0.9.4-5.el6
virt-manager-0.9.0-5.el6


How reproducible:
always

Steps to Reproduce:
1.install a vm with static security settings.
1.# virt-install -n demo -r 1024 -f /var/lib/libvirt/images/test.img -s 5 --security type=static,label='system_u:system_r:svirt_t:s0:c100,c200' -c /dev/cdrom --debug
.........
Mon, 29 Aug 2011 02:03:29 ERROR    internal error Process exited while reading console log output: char device redirected to /dev/pts/8
qemu-kvm: -drive file=/var/lib/libvirt/images/demo.img,if=none,id=drive-ide0-0-0,format=raw,cache=none: could not open disk image /var/lib/libvirt/images/demo.img: Permission denied

Mon, 29 Aug 2011 02:03:29 DEBUG    Traceback (most recent call last):
  File "/usr/sbin/virt-install", line 620, in start_install
    noboot=options.noreboot)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 1223, in start_install
    noboot)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 1291, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 1966, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error Process exited while reading console log output: char device redirected to /dev/pts/8
qemu-kvm: -drive file=/var/lib/libvirt/images/demo.img,if=none,id=drive-ide0-0-0,format=raw,cache=none: could not open disk image /var/lib/libvirt/images/demo.img: Permission denied

install will failed with Permission denied.

if have an existing image file,with correctly security label,the install will successful.mention in bug:https://bugzilla.redhat.com/show_bug.cgi?id=698085#c9

for libvirt ,there have a new attribute "relabel=yes",refer to http://libvirt.org/formatdomain.html#seclabel

so, customer need setting static security label without having an existing image file when install a new vm.
like command line:
# virt-install -n demo -r 1024 -f /var/lib/libvirt/images/test.img -s 5 --security type=static,relable=yes,label='system_u:system_r:svirt_t:s0:c100,c200' -c /dev/cdrom --debug


  
Actual results:
see Steps to Reproduce

Expected results:
should install vm successful with static security label if not have existing image file.

Additional info:

Comment 2 Cole Robinson 2011-12-09 22:38:41 UTC

While using relable=true by default is definitely more user friendly, manual labelling isn't a commonly used feature so not that urgent. And given reduced capacity for virt-manager/virtinst, just moving this to the upstream tracker.

Comment 3 Cole Robinson 2014-01-28 17:08:06 UTC

Making this change is a bit of a pain. Given that I think very few people depend on static labelling, and libvirt doesn't default to relabel=yes, I don't want to change this in virt-install. Closing as WONTFIX