Bug 852668
Summary: | libvirt got security label parse error with xml | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Wayne Sun <gsun> |
Component: | libvirt | Assignee: | Jiri Denemark <jdenemar> |
Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.4 | CC: | acathrow, dyasny, dyuan, honzhang, mzhan, rwu, whuang, yupzhang |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libvirt-0.10.1-1.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 07:22:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Wayne Sun
2012-08-29 08:53:01 UTC
can not create snapshot get the same error libvirt-0.10.0-1.el6.x86_64 # virsh snapshot-create-as rc0 s10-1 --disk-only error: XML error: missing security model when using multiple labels [root@intel-q9400-4-2 rpms]# virsh snapshot-create-as rc0 s10-1 error: XML error: missing security model when using multiple labels This is now fixed upstream by v0.10.0-32-g86e205a (in v0.10.1): commit 86e205a24fbfaec75df7ffedbb6418d9ed9dbd1c Author: Marcelo Cerri <mhcerri.ibm.com> Date: Fri Aug 31 13:40:40 2012 +0200 conf: Fix parsing of seclabels without model With this patch libvirt tries to assign a model to a single seclabel when model is missing. Libvirt will look up at host's capabilities and assign the first model to seclabel. This patch fixes: 1. The problem with existing guests that have a seclabel defined in its XML. 2. A XML parse error when a guest is restored. pks: libvirt-0.10.1-1.el6.x86_64 qemu-kvm-rhev-0.12.1.2-2.297.el6_3.x86_64 kernel-2.6.32-279.el6.x86_64 steps: 1. start a guest # virsh start libvirt_test_api Domain libvirt_test_api started 2. check xml # virsh dumpxml libvirt_test_api ... <seclabel type='dynamic' model='selinux' relabel='yes'> <label>unconfined_u:system_r:svirt_t:s0:c535,c601</label> <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c535,c601</imagelabel> </seclabel> ... By default, only one selinux seclabel now. 3. save/restore domain # virsh save libvirt_test_api /tmp/save.6 Domain libvirt_test_api saved to /tmp/save.6 # virsh restore /tmp/save.6 Domain restored from /tmp/save.6 # virsh list --all Id Name State ---------------------------------------------------- 5 libvirt_test_api running 4. create sanpshot # virsh snapshot-create-as libvirt_test_api snap-01 --disk-only Domain snapshot snap-01 created 5. add dac static label # virsh edit libvirt_test_api ... <seclabel type='static' model='dac' relabel='yes'> <label>107:107</label> <imagelabel>107:107</imagelabel> </seclabel> ... the domain can be started, save/restore and snapshot also works fine. So, this is fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0276.html |