Hide Forgot
Description of problem: fail to start domain with nfs disk configured when virt_use_nfs SELinux boolean switched to off. The action is going to fail anyway with unnecessary AVC... Version-Release number of selected component (if applicable): libvirt-1.1.1-12.el7.x86_64 How reproducible: always Steps to Reproduce: 1. on a clean rhel7, configure nfs pool 2. add a disk from nfs pool to a domain 3. try to start domain Actual results: selinux prevents start of the domain with an AVC Expected results: libvirt refuses to start the domain pointing to selinux boolean Additional info:
# getsebool virt_use_nfs virt_use_nfs --> off # virsh start winxp error: Failed to start domain winxp error: internal error: process exited while connecting to monitor: qemu-kvm: -drive file=/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso,if=none,id=drive-scsi0-0-0-1,readonly=on,format=raw: could not open disk image /var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso: Could not open file: Permission denied # grep AVC /var/log/audit/audit.log | tail -n1 | audit2why type=AVC msg=audit(1384347562.025:1882): avc: denied { open } for pid=16567 comm="qemu-kvm" path="/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso" dev="0:40" ino=2149019912 scontext=system_u:system_r:svirt_t:s0:c93,c415 tcontext=system_u:object_r:nfs_t:s0 tclass=file Was caused by: The boolean virt_use_nfs was set incorrectly. Description: Allow virt to use nfs Allow access by executing: # setsebool -P virt_use_nfs 1 disk definition in domain xml: <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <source file='/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso'/> <target dev='sdb' bus='scsi'/> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk>
Rather than refusing to run the domain, libvirt should instead be taking advantage of qemu 1.7's ability to pass in the entire backing chain via pre-opened fds, at which point the 'virt_use_nfs' bool is a no-op because we would no longer care about being able to label the files.
Hi Eric Just try the comment0's issue in rhel6.6, also hit that issue, since didn't see the relative bug in rhel6.6, so doubt that will we also fix this issue in rhel6.6 ? thanks
(In reply to zhenfeng wang from comment #4) > Hi Eric > Just try the comment0's issue in rhel6.6, also hit that issue, since didn't > see the relative bug in rhel6.6, so doubt that will we also fix this issue > in rhel6.6 ? thanks Upstream libvirt still does not have support wired up for fd passing of NFS disks; when we finally get there, we can avoid the need for the SELinux bool. I have no idea what time frame it will take to get there, but it will probably build upon the recent refactoring work on storage management for purposes of gluster, block commit, and friends. As such, while it may be done in time for RHEL 7.1, it would be extremely hard to backport to RHEL 6.
The ultimate fix is to implement fd-passing for all disks (tracked already by 1039117, 731134). In the meantime audit2why clearly says where the problem is.