Bug 999301

Summary: DAC security model does not support relabel attribute
Product: [Community] Virtualization Tools Reporter: Cristian Ciupitu <cristian.ciupitu>
Component: libvirtAssignee: Martin Kletzander <mkletzan>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: acathrow, jtomko, mkletzan, shyu
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-21 09:35:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cristian Ciupitu 2013-08-21 06:19:21 UTC 
Description of problem:
<seclabel model='dac' relabel='no'/> does not work, the owner and the group of
the file are still changed to qemu:qemu.

Version-Release number of selected component (if applicable):
libvirt-daemon-1.1.1-2.fc19.x86_64.rpm

How reproducible:
Every time

Steps to Reproduce:
1. Create a virtual machine
2. Attach a CD image to it:
    # virsh dumpxml test
        ...
        <disk type='file' device='cdrom'>
          <driver name='qemu' type='raw'/>
          <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>
            <seclabel model='selinux' relabel='no'/>
            <seclabel model='dac' relabel='no'/>
          </source>
          <target dev='hdc' bus='ide'/>
          <readonly/>
          <shareable/>
          <address type='drive' controller='0' bus='1' target='0' unit='0'/>
        </disk>

3. Start the machine:
    # ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso 
    -r--r--r--. root root system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso

    # virsh start test
    Domain test started

Actual results:
# ls -lZ Fedora-Live-Desktop-x86_64-19-1.iso 
-r--r--r--. qemu qemu system_u:object_r:public_content_t:s0 Fedora-Live-Desktop-x86_64-19-1.iso

Expected results:
The owner & group shouldn't be changed.

Additional info:
https://www.redhat.com/archives/libvirt-users/2013-August/msg00100.html
Comment 1 Cristian Ciupitu 2013-08-21 06:24:15 UTC 
Just to avoid any confusion, the RPM was installed from the fedora-virt-preview
repository.
Comment 2 Ján Tomko 2014-04-17 10:56:57 UTC 
Patches for this have been proposed upstream:
https://www.redhat.com/archives/libvir-list/2014-March/msg01450.html
https://www.redhat.com/archives/libvir-list/2014-April/msg00196.html
Comment 3 Ján Tomko 2014-05-21 09:35:30 UTC 
Merged upstream as of:
commit 9369a562446b7bb5314e6e1f6e65379bc1da6721
Author:     Jim Fehlig <jfehlig>
AuthorDate: 2014-05-15 16:38:01 -0600
Commit:     Jim Fehlig <jfehlig>
CommitDate: 2014-05-16 15:32:14 -0600

    security_dac: avoid relabeling when relabel='no'
    
    If relabel='no' at the domain level, no need to attempt relabeling
    in virSecurityDAC{Set,Restore}SecurityAllLabel().
    
    Signed-off-by: Michal Privoznik <mprivozn>
    Signed-off-by: Jim Fehlig <jfehlig>

git describe: v1.2.4-84-g9369a56
Comment 4 Cristian Ciupitu 2014-08-25 17:53:29 UTC 
Confirmed that it works fine with libvirt-daemon-kvm-1.2.7-2.fc20.x86_64.