Bug 976632

Summary: Managedsave/save failed with unable to execute QEMU command 'getfd'
Product: Red Hat Enterprise Linux 7 Reporter: zhenfeng wang <zhwang>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: acathrow, ajia, dallan, dyuan, gsun, honzhang, jdenemar, mzhan, ydu
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.1.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 976635 (view as bug list) Environment:
Last Closed: 2014-06-13 11:43:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 976635    

Description zhenfeng wang 2013-06-21 04:42:16 UTC
Description of problem:
Managedsave/save failed with unable to execute QEMU command 'getfd' while set the static selinux lable for the guest and set the relabel='no' in the guest's xml

Version-Release number of selected component (if applicable):
kernel-3.10.0-0.rc5.61.el7.x86_64
selinux-policy-3.12.1-48.el7.noarch
libvirt-1.0.6-1.el7.x86_64
qemu-kvm-1.5.0-2.el7.x86_64
How reproducible:
100%

Steps
1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--

3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7raw.img

# ll -Z /var/lib/libvirt/images/rhel7raw.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7raw.img

4.Start the guest
# virsh start rhel72
Domain rhel72 started

5.Do managedsave/save while the guest start completely
# virsh managedsave rhel72
error: Failed to save domain rhel72 state
error: internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

# virsh save rhel72 /tmp/rhel72.save
error: Failed to save domain rhel72 to /tmp/rhel72.save
error: internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

6.Check the audit.log info
# ausearch -m avc
time->Thu Jun 20 14:38:14 2013
type=SYSCALL msg=audit(1371710294.907:1003): arch=c000003e syscall=47 success=yes exit=1 a0=17 a1=7fff5665f0a0 a2=40000000 a3=0 items=0 ppid=1 pid=11833 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1371710294.907:1003): avc:  denied  { write } for  pid=11833 comm="qemu-kvm" path="pipe:[75795]" dev="pipefs" ino=75795 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file
----
time->Thu Jun 20 14:38:23 2013
type=SYSCALL msg=audit(1371710303.083:1004): arch=c000003e syscall=47 success=yes exit=1 a0=17 a1=7fff5665f0a0 a2=40000000 a3=0 items=0 ppid=1 pid=11833 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 ses=4294967295 tty=(none) comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1371710303.083:1004): avc:  denied  { write } for  pid=11833 comm="qemu-kvm" path="pipe:[75804]" dev="pipefs" ino=75804 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file

7.Check the libvirt.log info
#cat /var/log/libvirt/libvirtd.log
2013-06-20 06:45:04.533+0000: 12467: info : libvirt version: 1.0.6, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2013-06-03-10:07:01, x86-021.build.eng.bos.redhat.com)
2013-06-20 06:45:04.533+0000: 12467: error : qemuMonitorJSONCheckError:350 : internal error unable to execute QEMU command 'getfd': No file descriptor supplied via SCM_RIGHTS

8.Do the upper operation in rhel6.4z can get the same error

Actual results:
Managedsave failed with unable to execute QEMU command 'getfd'

Expected results:
Should do managedsave/save successfully

Comment 2 Jiri Denemark 2013-06-21 10:32:47 UTC
Hmm, it seems that when relable=no is used we don't even relabel resources created on the fly, such as pipes, which is obviously wrong.

Comment 3 Peter Krempa 2013-07-08 13:14:23 UTC
Fixed upstream by:
commit 2ce63c161111c6d813130f850639d1548d80c3fe
Author: Peter Krempa <pkrempa>
Date:   Tue Jul 2 18:34:58 2013 +0200

    selinux: Always generate imagelabel
    
    The imagelabel SELinux label was only generated when relabeling was
    enabled. This prohibited labeling of files created by libvirt that need
    to be labeled even if relabeling is turned off.
    
    The only codepath this change has direct impact on is labeling of FDs
    passed to qemu which is always safe in current state.

Comment 4 yanbing du 2013-07-31 06:08:30 UTC
Verify this bug with libvirt-1.1.1-1.el7.x86_64.
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     virt-tests-vm1                 shut off

# virsh start virt-tests-vm1
Domain virt-tests-vm1 started

# virsh managedsave virt-tests-vm1

Domain virt-tests-vm1 state saved by libvirt

# virsh start virt-tests-vm1
Domain virt-tests-vm1 started

# virsh save virt-tests-vm1 /tmp/vm-save 

Domain virt-tests-vm1 saved to /tmp/vm-save

So move this bug VERIFIED.

Comment 5 Ludek Smid 2014-06-13 11:43:31 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.