Bug 902103

Summary: "Cannot parse sensitivity level in s0" when launching nova instance
Product: [Fedora] Fedora Reporter: Steve Baker <sbaker>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: berrange, clalancette, crobinso, dallan, itamar, jforbes, jyang, laine, libvirt-maint, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 19:30:45 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
libvirt xml which demonstrates problem none

Description Steve Baker 2013-01-20 16:34:07 EST
Description of problem:
Since upgrading to Fedora 18 I've not been able to launch nova instances with current master of nova & devstack.

The following error is logged:
"Cannot parse sensitivity level in s0"

Running virsh create on the attached sensitivity_level_fail.xml nova generated XML also reproduces the error.

Version-Release number of selected component (if applicable):
libvirt-0.10.2.2-3.fc18.x86_64

How reproducible:
All the time when svirt is enabled

Steps to Reproduce:
1. Run virsh create sensitivity_level_fail.xml

  
Actual results:
Immediately fails with error
"Cannot parse sensitivity level in s0"

Expected results:


Additional info:
Workaround is to set:
security_driver = "none"
in /etc/libvirt/qemu.conf
Comment 1 Steve Baker 2013-01-20 16:37:41 EST
Created attachment 683900 [details]
libvirt xml which demonstrates problem
Comment 2 Daniel Berrange 2013-01-21 05:16:30 EST
Please provide 

 ps -axuZ | grep libvirtd

and

 ls -lZ /usr/sbin/libvirtd
Comment 3 Steve Baker 2013-01-21 15:29:05 EST
# ps -axuZ | grep libvirtd
system_u:system_r:kernel_t:s0   root       951  0.0  0.0 484324  1824 ?        Ssl  Jan21   0:00 /usr/sbin/libvirtd
unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 root 18159 0.0  0.0 109180 884 pts/6 S+ 09:25   0:00 grep --color=auto libvirtd

# ls -lZ /usr/sbin/libvirtd
-rwxr-xr-x. root root system_u:object_r:virtd_exec_t:s0 /usr/sbin/libvirtd

This is with svirt still disabled
Comment 4 Cole Robinson 2013-01-25 18:25:54 EST
Hmm, I can't reproduce. That error message comes from libvirtd, trying to parse it's own selinux context. It throws that error if it doesn't find a colon in the context string.

Steve, is this with all up to date packages? Do other VMs work? Is selinux in enforcing, permissive, or disabled?

Also, please provide 

  ps -axuZ | grep libvirtd

again, but this time with svirt enabled, and after restarting libvirtd.
Comment 5 Dave Allan 2013-01-28 12:35:58 EST
See also BZ 896610
Comment 6 Steve Baker 2013-02-04 19:36:40 EST
With security_driver = "selinux"
in /etc/libvirt/qemu.conf

ps -axuZ | grep libvirtd
system_u:system_r:kernel_t:s0   root      9438  0.2  0.1 1078160 5856 ?        Ssl  13:27   0:00 /usr/sbin/libvirtd
unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 steveb 15084 0.0  0.0 109180 884 pts/1 S+ 13:33   0:00 grep --color=auto libvirtd
Comment 7 Cole Robinson 2013-02-06 15:31:36 EST
Steve, I think you can fix this locally by

touch /.autorelabel
reboot

But we should find a way to not make this fail if running in permissive mode
Comment 8 Daniel Berrange 2013-03-13 14:08:36 EDT
This series makes libvirt more robust at handling unexpected security labels, which should address this problem

https://www.redhat.com/archives/libvir-list/2013-March/msg00684.html
Comment 9 Fedora Update System 2013-04-01 18:05:26 EDT
libvirt-0.10.2.4-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libvirt-0.10.2.4-1.fc18
Comment 10 Fedora Update System 2013-04-03 00:27:51 EDT
Package libvirt-0.10.2.4-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-0.10.2.4-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-4691/libvirt-0.10.2.4-1.fc18
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2013-04-11 19:30:48 EDT
libvirt-0.10.2.4-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.