Bug 852668
| Summary: | libvirt got security label parse error with xml | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Wayne Sun <gsun> |
| Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.4 | CC: | acathrow, dyasny, dyuan, honzhang, mzhan, rwu, whuang, yupzhang |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-0.10.1-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 07:22:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Wayne Sun
2012-08-29 08:53:01 UTC
can not create snapshot get the same error libvirt-0.10.0-1.el6.x86_64 # virsh snapshot-create-as rc0 s10-1 --disk-only error: XML error: missing security model when using multiple labels [root@intel-q9400-4-2 rpms]# virsh snapshot-create-as rc0 s10-1 error: XML error: missing security model when using multiple labels This is now fixed upstream by v0.10.0-32-g86e205a (in v0.10.1):
commit 86e205a24fbfaec75df7ffedbb6418d9ed9dbd1c
Author: Marcelo Cerri <mhcerri.ibm.com>
Date: Fri Aug 31 13:40:40 2012 +0200
conf: Fix parsing of seclabels without model
With this patch libvirt tries to assign a model to a single seclabel
when model is missing. Libvirt will look up at host's capabilities and
assign the first model to seclabel.
This patch fixes:
1. The problem with existing guests that have a seclabel defined in its XML.
2. A XML parse error when a guest is restored.
pks:
libvirt-0.10.1-1.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.297.el6_3.x86_64
kernel-2.6.32-279.el6.x86_64
steps:
1. start a guest
# virsh start libvirt_test_api
Domain libvirt_test_api started
2. check xml
# virsh dumpxml libvirt_test_api
...
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>unconfined_u:system_r:svirt_t:s0:c535,c601</label>
<imagelabel>unconfined_u:object_r:svirt_image_t:s0:c535,c601</imagelabel>
</seclabel>
...
By default, only one selinux seclabel now.
3. save/restore domain
# virsh save libvirt_test_api /tmp/save.6
Domain libvirt_test_api saved to /tmp/save.6
# virsh restore /tmp/save.6
Domain restored from /tmp/save.6
# virsh list --all
Id Name State
----------------------------------------------------
5 libvirt_test_api running
4. create sanpshot
# virsh snapshot-create-as libvirt_test_api snap-01 --disk-only
Domain snapshot snap-01 created
5. add dac static label
# virsh edit libvirt_test_api
...
<seclabel type='static' model='dac' relabel='yes'>
<label>107:107</label>
<imagelabel>107:107</imagelabel>
</seclabel>
...
the domain can be started, save/restore and snapshot also works fine.
So, this is fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0276.html |