Bug 853043
| Summary: | guest can't start with unable to set security context error if guests are unconfined | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Wayne Sun <gsun> |
| Component: | libvirt | Assignee: | Peter Krempa <pkrempa> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.4 | CC: | acathrow, dallan, dyasny, dyuan, gsun, mzhan, rwu, ydu, zhwang |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-0.10.1-1.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 823857 | Environment: | |
| Last Closed: | 2013-02-21 07:22:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 823857 | ||
| Bug Blocks: | |||
pkgs
# rpm -qa|grep libvirt
libvirt-0.10.1-1.el6.x86_64
steps
1. Make sure selinux is Enforcing
# getenforce
Enforcing
2. Before set security_default_confined, prepare a guest, and start it, then check the guest's seclabel
# virsh dumpxml tesredhat |grep seclabel -A 3
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>unconfined_u:system_r:svirt_t:s0:c317,c596</label>
<imagelabel>unconfined_u:object_r:svirt_image_t:s0:c317,c596</imagelabel>
</seclabel>
</domain>
3. Set security_default_confined=0 in qemu.conf and restart libvirtd
4. Recheck the guest's seclabel
# virsh dumpxml tesredhat |grep seclabel -A 3
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>unconfined_u:system_r:svirt_t:s0:c317,c596</label>
<imagelabel>unconfined_u:object_r:svirt_image_t:s0:c317,c596</imagelabel>
</seclabel>
</domain>
5. Destroy the guest, and restart it
# virsh start tesredhat
Domain tesredhat started
# virsh dumpxml tesredhat |grep seclabel -A 3
<seclabel type='none' model='selinux'/>
</domain>
6. # ll -Z /var/lib/libvirt/images/tesredhat.img
-rw-r-xr-x. qemu qemu system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images/tesredhat.img
7.# virsh dumpxml tesredhat --inactive |grep seclabel -A 3
BTW
I can reproduce this bug in the pkg libvirt-0.10.0-1.el6.x86_64
AS in step 5&6 ,guest can start normally
So, this is fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0276.html |
Fixed upstream with: commit 1497e36db97e257bbdb037066994aac5ca3e75f6 Author: Peter Krempa <pkrempa> Date: Thu Aug 30 16:05:53 2012 +0200 security: Re-apply commit ce53382ba28179d3a504b29b4f888b6e130d53f0 Recent changes in the security driver discarded changes that fixed labeling un-confined guests. Moving to POST.