Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Cause: If libvirt was set not to relabel any files (using <seclabel relabel='no'>), it skipped labelling even files that were created by it for a particular domain.
Consequence: When domain was saved, the file was not labelled and hence restoring failed if the default label was not readable by qemu.
Fix: libvirt labels the file descriptor to which qemu is saving the domain even with relabel='no'.
Result: libvirt can save and consequentially restore a domain with relabel='no'.
Description of problem:
Fail to restore guest from the save file while the save file located in the root directory, also
have set the static selinux lable for the guest and set the relabel='no' in the guest's xml
Version-Release number of selected component (if applicable):
kernel-3.10.0-88.el7.x86_64
qemu-kvm-rhev-1.5.3-47.el7.x86_64
libvirt-1.1.1-23.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-125.el7.noarch
How reproducible:
100%
Steps
1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_t:s0:c311,c611</label>
</seclabel>
--
3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img
# ll -Z /var/lib/libvirt/images/rhel7raw.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img
4.Start the guest
# virsh start rhel7
Domain rhel7 started
5.Save the guest to the root directory while the guest start completely
# virsh save rhel7 rhel7.save
Domain rhel7 saved to rhel7.save
6.Restore the guest, will report the following error
# virsh restore rhel7.save
error: Failed to restore domain from rhel7.save
error: internal error: early end of file from monitor: possible problem:
load of migration failed
7.Check the audit.log info
# ausearch -m avc -ts recent
time->Mon Feb 17 17:34:23 2014
type=SYSCALL msg=audit(1392629663.465:198): arch=c000003e syscall=59 success=yes exit=0 a0=7f4af000b1c0 a1=7f4af000bbe0 a2=7f4af000b1e0 a3=8 items=0 ppid=1 pid=11010 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1392629663.465:198): avc: denied { read } for pid=11010 comm="qemu-kvm" path="/root/rhel7.save" dev="sda1" ino=137136833 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
8.The virsh restore opertion can be operated successfully if i copy the save file in step5 to another directory, such as /tmp
#cp test.save /tmp/test.save
#virsh restore /tmp/test.save
Domain restored from /tmp/rhel7.save
9.The step6 can be operated successfully if i use the default dynamic selinux label
The file descriptor of the save image file opened by libvirt needs to be temporarily labeled with the correct context so that qemu can read it. We are currently doing the right job while creating it and when using the libvirt iohelper, but not for regular files.
Comment 4Martin Kletzander
2014-06-11 15:16:33 UTC
Fixed upstream by v1.2.5-98-gedc80e2:
commit edc80e23442526bb24d35e46ace2d9632803815f
Author: Shivaprasad G Bhat <shivaprasadbhat>
AuthorDate: Wed Jun 11 09:48:34 2014 -0400
qemu: Properly label FDs when restoring domain with static label
I could reproduce this issue with libvirt-1.1.1-23.el7.x86_64 as following steps:
1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_t:s0:c311,c611</label>
</seclabel>
--
3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img
# ll -Z /var/lib/libvirt/images/rhel6.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img
4.Start the guest
# virsh start rhel6
Domain rhel6 started
5.Save the guest to the root directory while the guest start completely
# virsh save rhel6 rhel6.save
Domain rhel6 saved to rhel6.save
6.Restore the guest, will report the following error
# virsh restore rhel6.save
error: Failed to restore domain from rhel6.save
error: internal error: early end of file from monitor: possible problem:
load of migration failed
Verified this issue with libvirt-1.2.7-1.el7.x86_64:
1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_t:s0:c311,c611</label>
</seclabel>
--
3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img
# ll -Z /var/lib/libvirt/images/rhel6.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img
4.Start the guest
# virsh start rhel6
Domain rhel6 started
5.Save the guest to the root directory while the guest start completely
# virsh save rhel6 rhel6.save
Domain rhel6 saved to rhel6.save
6.Restore the guest:
# virsh restore rhel6.save
Domain restored from rhel6.save
Verify this bug with libvirt-1.2.8-8.el7.x86_64
steps
1.Enable security_driver in qemu.conf and in system
#cat /etc/libvirt/qemu.conf
security_driver='selinux'
# getenforce
Enforcing
2.Prepare a normal guest, add the following xml to the guest's xml
#virsh dumpxml rhel7.0
--
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_t:s0:c311,c611</label>
</seclabel>
--
3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.0.img
# ll -Z /var/lib/libvirt/images/rhel7.0.qcow2
-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.0.qcow2
4.Start the guest
# virsh start rhel7.0
Domain rhel7.0 started
5.Save the guest to the root directory while the guest start completely
# virsh save rhel7.0 rhel7.0.save
Domain rhel6 saved to rhel7.0.save
# ll -Z rhel7.0.save
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 rhel7.0.save
6.Restore the guest:
# virsh restore rhel7.0.save
Domain restored from rhel7.0.save
# ll -Z rhel7.0.save
-rw-------. root root system_u:object_r:admin_home_t:s0 rhel7.0.save
7.Destroy the guest, then restore the guest with the previous save file
#virsh destroy rhel7.0
# virsh restore rhel7.0.save
Domain restored from rhel7.0.save
8.Edit step2's xml, set relabel=yes, then re-test step 3~7, get the same result
9.Retry the static dac with the upper steps, all could get the expect result
According to the upper steps, mark this bug verified
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHSA-2015-0323.html
Description of problem: Fail to restore guest from the save file while the save file located in the root directory, also have set the static selinux lable for the guest and set the relabel='no' in the guest's xml Version-Release number of selected component (if applicable): kernel-3.10.0-88.el7.x86_64 qemu-kvm-rhev-1.5.3-47.el7.x86_64 libvirt-1.1.1-23.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 selinux-policy-3.12.1-125.el7.noarch How reproducible: 100% Steps 1.# getenforce Enforcing 2.Prepare a normal guest,add the following xml to the guest'xml -- -- <seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_t:s0:c311,c611</label> </seclabel> -- 3.Change the guest image's lable which should be the same with the step2 #chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img # ll -Z /var/lib/libvirt/images/rhel7raw.img -rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img 4.Start the guest # virsh start rhel7 Domain rhel7 started 5.Save the guest to the root directory while the guest start completely # virsh save rhel7 rhel7.save Domain rhel7 saved to rhel7.save 6.Restore the guest, will report the following error # virsh restore rhel7.save error: Failed to restore domain from rhel7.save error: internal error: early end of file from monitor: possible problem: load of migration failed 7.Check the audit.log info # ausearch -m avc -ts recent time->Mon Feb 17 17:34:23 2014 type=SYSCALL msg=audit(1392629663.465:198): arch=c000003e syscall=59 success=yes exit=0 a0=7f4af000b1c0 a1=7f4af000bbe0 a2=7f4af000b1e0 a3=8 items=0 ppid=1 pid=11010 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null) type=AVC msg=audit(1392629663.465:198): avc: denied { read } for pid=11010 comm="qemu-kvm" path="/root/rhel7.save" dev="sda1" ino=137136833 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:admin_home_t:s0 tclass=file 8.The virsh restore opertion can be operated successfully if i copy the save file in step5 to another directory, such as /tmp #cp test.save /tmp/test.save #virsh restore /tmp/test.save Domain restored from /tmp/rhel7.save 9.The step6 can be operated successfully if i use the default dynamic selinux label