RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1029873 - refuse to start domain with nfs disk configured when virt_use_nfs SELinux boolean is off
Summary: refuse to start domain with nfs disk configured when virt_use_nfs SELinux boo...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Eric Blake
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-13 12:23 UTC by David Jaša
Modified: 2016-04-26 14:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-07 13:06:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 862756 0 medium CLOSED Can't use kernel on r/o file system for VM direct kernel boot because it can't be chowned 2021-02-22 00:41:40 UTC

Internal Links: 862756

Description David Jaša 2013-11-13 12:23:01 UTC 
Description of problem:
fail to start domain with nfs disk configured when virt_use_nfs SELinux boolean switched to off. The action is going to fail anyway with unnecessary AVC...

Version-Release number of selected component (if applicable):
libvirt-1.1.1-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. on a clean rhel7, configure nfs pool
2. add a disk from nfs pool to a domain
3. try to start domain

Actual results:
selinux prevents start of the domain with an AVC

Expected results:
libvirt refuses to start the domain pointing to selinux boolean

Additional info:
Comment 1 David Jaša 2013-11-13 13:03:38 UTC 
# getsebool virt_use_nfs
virt_use_nfs --> off
# virsh start winxp
error: Failed to start domain winxp
error: internal error: process exited while connecting to monitor: qemu-kvm: -drive file=/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso,if=none,id=drive-scsi0-0-0-1,readonly=on,format=raw: could not open disk image /var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso: Could not open file: Permission denied

# grep AVC /var/log/audit/audit.log | tail -n1 | audit2why 
type=AVC msg=audit(1384347562.025:1882): avc:  denied  { open } for  pid=16567 comm="qemu-kvm" path="/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso" dev="0:40" ino=2149019912 scontext=system_u:system_r:svirt_t:s0:c93,c415 tcontext=system_u:object_r:nfs_t:s0 tclass=file

	Was caused by:
	The boolean virt_use_nfs was set incorrectly. 
	Description:
	Allow virt to use nfs

	Allow access by executing:
	# setsebool -P virt_use_nfs 1



disk definition in domain xml:
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso'/>
      <target dev='sdb' bus='scsi'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
Comment 2 Eric Blake 2013-11-13 13:48:19 UTC 
Rather than refusing to run the domain, libvirt should instead be taking advantage of qemu 1.7's ability to pass in the entire backing chain via pre-opened fds, at which point the 'virt_use_nfs' bool is a no-op because we would no longer care about being able to label the files.
Comment 4 zhenfeng wang 2014-07-03 09:39:07 UTC 
Hi Eric
Just try the comment0's issue in rhel6.6, also hit that issue, since didn't see the relative bug in rhel6.6, so doubt that will we also fix this issue in rhel6.6 ? thanks
Comment 5 Eric Blake 2014-07-03 12:52:05 UTC 
(In reply to zhenfeng wang from comment #4)
> Hi Eric
> Just try the comment0's issue in rhel6.6, also hit that issue, since didn't
> see the relative bug in rhel6.6, so doubt that will we also fix this issue
> in rhel6.6 ? thanks

Upstream libvirt still does not have support wired up for fd passing of NFS disks; when we finally get there, we can avoid the need for the SELinux bool.  I have no idea what time frame it will take to get there, but it will probably build upon the recent refactoring work on storage management for purposes of gluster, block commit, and friends.  As such, while it may be done in time for RHEL 7.1, it would be extremely hard to backport to RHEL 6.
Comment 6 Jiri Denemark 2014-08-07 13:06:36 UTC 
The ultimate fix is to implement fd-passing for all disks (tracked already by 1039117, 731134). In the meantime audit2why clearly says where the problem is.
Note You need to log in before you can comment on or make changes to this bug.