Bug 734000

Summary: RFE: static label should use libvirt relabel=yes by default
Product: [Community] Virtualization Tools Reporter: zhe peng <zpeng>
Component: virt-managerAssignee: Cole Robinson <crobinso>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, bsarathy, crobinso, cwei, jwu, mzhan, xen-maint
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 733996 Environment:
Last Closed: 2014-01-28 17:08:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 733996    
Bug Blocks:    

Description zhe peng 2011-08-29 06:59:07 UTC
+++ This bug was initially created as a clone of Bug #733996 +++

Created attachment 520296 [details]
full debug info

Description of problem:
can set relabel option for security driver setting when install vm.


Version-Release number of selected component (if applicable):
python-virtinst-0.600.0-2.el6.noarch
libvirt-0.9.4-5.el6
virt-manager-0.9.0-5.el6


How reproducible:
always

Steps to Reproduce:
1.install a vm with static security settings.
1.# virt-install -n demo -r 1024 -f /var/lib/libvirt/images/test.img -s 5 --security type=static,label='system_u:system_r:svirt_t:s0:c100,c200' -c /dev/cdrom --debug
.........
Mon, 29 Aug 2011 02:03:29 ERROR    internal error Process exited while reading console log output: char device redirected to /dev/pts/8
qemu-kvm: -drive file=/var/lib/libvirt/images/demo.img,if=none,id=drive-ide0-0-0,format=raw,cache=none: could not open disk image /var/lib/libvirt/images/demo.img: Permission denied

Mon, 29 Aug 2011 02:03:29 DEBUG    Traceback (most recent call last):
  File "/usr/sbin/virt-install", line 620, in start_install
    noboot=options.noreboot)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 1223, in start_install
    noboot)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 1291, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 1966, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error Process exited while reading console log output: char device redirected to /dev/pts/8
qemu-kvm: -drive file=/var/lib/libvirt/images/demo.img,if=none,id=drive-ide0-0-0,format=raw,cache=none: could not open disk image /var/lib/libvirt/images/demo.img: Permission denied

install will failed with Permission denied.

if have an existing image file,with correctly security label,the install will successful.mention in bug:https://bugzilla.redhat.com/show_bug.cgi?id=698085#c9

for libvirt ,there have a new attribute "relabel=yes",refer to http://libvirt.org/formatdomain.html#seclabel

so, customer need setting static security label without having an existing image file when install a new vm.
like command line:
# virt-install -n demo -r 1024 -f /var/lib/libvirt/images/test.img -s 5 --security type=static,relable=yes,label='system_u:system_r:svirt_t:s0:c100,c200' -c /dev/cdrom --debug


  
Actual results:
see Steps to Reproduce

Expected results:
should install vm successful with static security label if not have existing image file.

Additional info:

Comment 2 Cole Robinson 2011-12-09 22:38:41 UTC
While using relable=true by default is definitely more user friendly, manual labelling isn't a commonly used feature so not that urgent. And given reduced capacity for virt-manager/virtinst, just moving this to the upstream tracker.

Comment 3 Cole Robinson 2014-01-28 17:08:06 UTC
Making this change is a bit of a pain. Given that I think very few people depend on static labelling, and libvirt doesn't default to relabel=yes, I don't want to change this in virt-install. Closing as WONTFIX