1027076 – Fail to start lxc with disabled selinux due to the existed empty /selinux

Bug 1027076 - Fail to start lxc with disabled selinux due to the existed empty /selinux

Summary: Fail to start lxc with disabled selinux due to the existed empty /selinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kletzander
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	915485
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-06 05:17 UTC by Luwen Su
Modified:	2015-03-05 07:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:	libvirt-1.2.7-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 07:25:43 UTC
Target Upstream Version:

Attachments	(Terms of Use)
system log (129.53 KB, text/x-log) 2014-02-25 09:44 UTC, Luwen Su	no flags	Details
libvirtd log (737.89 KB, text/x-log) 2014-02-25 09:44 UTC, Luwen Su	no flags	Details
lxc log (41.46 KB, text/x-log) 2014-02-25 09:45 UTC, Luwen Su	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0323	0	normal	SHIPPED_LIVE	Low: libvirt security, bug fix, and enhancement update	2015-03-05 12:10:54 UTC

Description Luwen Su 2013-11-06 05:17:53 UTC

Description of problem:
Fail to start lxc with disabled selinux due to the existed empaty /selinux

Version-Release number of selected component (if applicable):
libvirt-0.10.2-29.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.415.el6.x86_64
kernel-2.6.32-429.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch


How reproducible:
100%

Steps to Reproduce:
1.
#getenforce
Enforcing
There is a dir /selinux , generated by the system 

2.Disabled selinux
# cat /etc/selinux/config | grep disabled
#     disabled - No SELinux policy is loaded.
SELINUX=disabled

#reboot

3.After that , the selinux DOESN't remove the dir /selinux but clean all content in it.
#ll -a /selinux/
total 8
drwxr-xr-x.  2 root root 4096 Oct 12 11:28 .
dr-xr-xr-x. 25 root root 4096 Oct 12 13:52 ..

4.This lead to lxc fail to start:
#virsh -c lxc:/// start toy

error: Failed to start domain toy
error: internal error guest failed to start: PATH=/bin:/sbin TERM=linux container=lxc-libvirt container_uuid=bb428983-cb9f-4702-0f8d-7d4e143d9aad LIBVIRT_LXC_UUID=bb428983-cb9f-4702-0f8d-7d4e143d9aad LIBVIRT_LXC_NAME=toy /bin/sh
error receiving signal from container: Input/output error


5.
If remove the dir , everthing will be fine.
And on rhel7 , there is no /selinux , so it has not effect.


Expected results:
Lxc started


Additional info:

Comment 2 Martin Kletzander 2014-02-24 10:05:43 UTC

Please attach both daemon and machine logs, thanks.

Comment 3 Martin Kletzander 2014-02-24 10:14:12 UTC

This should be fixed upstream with commit v1.1.4-22-g9ecbd38:

commit 9ecbd38c4c4a582bc17749b97c4641ee80f42d75
Author: Daniel P. Berrange <berrange>
Date:   Mon Oct 7 13:12:15 2013 +0100

    Skip any files which are not mounted on the host

Comment 4 Luwen Su 2014-02-25 09:44:12 UTC

Created attachment 867312 [details]
system log

Comment 5 Luwen Su 2014-02-25 09:44:59 UTC

Created attachment 867313 [details]
libvirtd log

Comment 6 Luwen Su 2014-02-25 09:45:23 UTC

Created attachment 867314 [details]
lxc log

Comment 7 Luwen Su 2014-02-25 09:47:09 UTC

logs generated basing on 
libvirt-0.10.2-29.el6_5.4.x86_64
kernel-2.6.32-431.5.1.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch

Comment 8 Martin Kletzander 2014-02-25 12:08:12 UTC

Thank you very much, that confirms my hypothesis.

Comment 10 Jiri Denemark 2014-04-04 21:38:10 UTC

This bug was not selected to be addressed in Red Hat Enterprise Linux 6. We will look at it again within the Red Hat Enterprise Linux 7 product.

Comment 12 Shanzhi Yu 2014-11-20 10:08:02 UTC

In RHEL7 this can't be reproduced. So, I would change this to verified status

Comment 14 errata-xmlrpc 2015-03-05 07:25:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.