Bug 858104

Summary: Security context error when starting LXC domain via virsh
Product: [Fedora] Fedora Reporter: James R. Leu <jleu>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: berrange, clalancette, crobinso, dyasny, itamar, jforbes, jyang, laine, libvirt-maint, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-27 13:00:06 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
LXC XML file
none
Patch that implements the change suggested by berrange none

Description James R. Leu 2012-09-17 21:14:35 EDT
Created attachment 613833 [details]
LXC XML file

Description of problem:
Unable to start LXC container using a working XML config from previous version of libvirt.

error: Failed to start domain foo0
error: internal error guest failed to start: 2012-09-18 00:59:42.992+0000: 4113: info : libvirt version: 0.9.11.5, package: 3.fc17 (Fedora Project, 2012-08-22-14:23:38, )
2012-09-18 00:59:42.992+0000: 4113: error : lxcControllerRun:1486 : Failed to query file context on /home/foo: No data available


Version-Release number of selected component (if applicable):
libvirt version: 0.9.11.5

How reproducible:
I cannot get any LXC domains to start with selinux=disabled

Steps to Reproduce:
1.Create a working LXC XML config on RHEL 5.8, libvirt 0.9.10
2.Use the same config on F17, libvirt 0.9.11.5
3.
  
Actual results:
Error above

Expected results:
LXC domain should start

Additional info:
I have selinux=disabled on both RHEL and F17
Comment 1 Daniel Berrange 2012-09-18 09:55:35 EDT
The problem is this code in lxc_controller.c which should also check for the ENODATA error code

#if HAVE_SELINUX
        if (getfilecon(root->src, &con) < 0 &&
            errno != ENOTSUP) {
            virReportSystemError(errno,
                                 _("Failed to query file context on %s"),
                                 root->src);
            goto cleanup;
        }
#endif

In libvirt 0.10.0 or later, this code has actually be removed now.
Comment 2 James R. Leu 2012-09-21 09:20:28 EDT
Created attachment 615417 [details]
Patch that implements the change suggested by berrange
Comment 3 Daniel Berrange 2012-09-21 09:26:14 EDT
Looks fine as something to cherry-pick into Fedora 17 only. Moving to POST so Cole sees it with next Fedora update
Comment 4 James R. Leu 2012-10-01 09:49:12 EDT
FYI I've encountered the same issue when trying to migrate from RHEL 5.8 to RHEL 6.3.  I used the same SRPM with the patch from above to build a set of RPMs that work on RHEL 6.3.  Unfortunately this will not work well going forward, because now I'm out of sync with RHEL 6.

Should I create a new bug for RHEL 6?
Comment 5 Cole Robinson 2012-10-07 16:48:13 EDT
(In reply to comment #4)
> FYI I've encountered the same issue when trying to migrate from RHEL 5.8 to
> RHEL 6.3.  I used the same SRPM with the patch from above to build a set of
> RPMs that work on RHEL 6.3.  Unfortunately this will not work well going
> forward, because now I'm out of sync with RHEL 6.
> 
> Should I create a new bug for RHEL 6?

Yes, please file a separate RHEL6 bug.
Comment 6 Fedora Update System 2012-10-07 20:09:45 EDT
libvirt-0.9.11.6-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/libvirt-0.9.11.6-1.fc17
Comment 7 Fedora Update System 2012-10-08 17:53:24 EDT
Package libvirt-0.9.11.6-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-0.9.11.6-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15634/libvirt-0.9.11.6-1.fc17
then log in and leave karma (feedback).