Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1066280 - Fail to restore guest from the save file while set the static selinux lable for the guest and set the relabel='no' in the guest's xml
Fail to restore guest from the save file while set the static selinux lable f...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Martin Kletzander
Virtualization Bugs
: Upstream
: 1126679 (view as bug list)
Depends On:
Blocks: 829181 1064025 1066285
  Show dependency treegraph
 
Reported: 2014-02-18 03:07 EST by zhenfeng wang
Modified: 2015-03-05 02:30 EST (History)
10 users (show)

See Also:
Fixed In Version: libvirt-1.2.7-1.el7
Doc Type: Bug Fix
Doc Text:
Cause: If libvirt was set not to relabel any files (using <seclabel relabel='no'>), it skipped labelling even files that were created by it for a particular domain. Consequence: When domain was saved, the file was not labelled and hence restoring failed if the default label was not readable by qemu. Fix: libvirt labels the file descriptor to which qemu is saving the domain even with relabel='no'. Result: libvirt can save and consequentially restore a domain with relabel='no'.
Story Points: ---
Clone Of:
: 1066285 (view as bug list)
Environment:
Last Closed: 2015-03-05 02:30:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0323 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2015-03-05 07:10:54 EST

  None (edit)
Description zhenfeng wang 2014-02-18 03:07:29 EST
Description of problem:
Fail to restore guest from the save file while the save file located in the root directory, also
have set the static selinux lable for the guest and set the relabel='no' in the guest's xml

Version-Release number of selected component (if applicable):
kernel-3.10.0-88.el7.x86_64
qemu-kvm-rhev-1.5.3-47.el7.x86_64
libvirt-1.1.1-23.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-125.el7.noarch
How reproducible:
100%

Steps
1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--

3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img

# ll -Z /var/lib/libvirt/images/rhel7raw.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img

4.Start the guest
# virsh start rhel7
Domain rhel7 started

5.Save the guest to the root directory while the guest start completely
# virsh save rhel7 rhel7.save

Domain rhel7 saved to rhel7.save

6.Restore the guest, will report the following error
# virsh restore rhel7.save
error: Failed to restore domain from rhel7.save
error: internal error: early end of file from monitor: possible problem:
load of migration failed

7.Check the audit.log info
# ausearch -m avc -ts recent
time->Mon Feb 17 17:34:23 2014
type=SYSCALL msg=audit(1392629663.465:198): arch=c000003e syscall=59 success=yes exit=0 a0=7f4af000b1c0 a1=7f4af000bbe0 a2=7f4af000b1e0 a3=8 items=0 ppid=1 pid=11010 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1392629663.465:198): avc:  denied  { read } for  pid=11010 comm="qemu-kvm" path="/root/rhel7.save" dev="sda1" ino=137136833 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

8.The virsh restore opertion can be operated successfully if i copy the save file in step5 to another directory, such as /tmp
#cp test.save /tmp/test.save
#virsh restore /tmp/test.save
Domain restored from /tmp/rhel7.save

9.The step6 can be operated successfully if i use the default dynamic selinux label
Comment 2 Peter Krempa 2014-02-19 08:01:18 EST
The file descriptor of the save image file opened by libvirt needs to be temporarily labeled with the correct context so that qemu can read it. We are currently doing the right job while creating it and when using the libvirt iohelper, but not for regular files.
Comment 4 Martin Kletzander 2014-06-11 11:16:33 EDT
Fixed upstream by v1.2.5-98-gedc80e2:

commit edc80e23442526bb24d35e46ace2d9632803815f
Author:     Shivaprasad G Bhat <shivaprasadbhat@gmail.com>
AuthorDate: Wed Jun 11 09:48:34 2014 -0400

    qemu: Properly label FDs when restoring domain with static label
Comment 6 Ján Tomko 2014-08-05 04:15:15 EDT
*** Bug 1126679 has been marked as a duplicate of this bug. ***
Comment 7 zhengqin 2014-08-21 02:13:29 EDT
I could reproduce this issue with libvirt-1.1.1-23.el7.x86_64 as following steps:

1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--

3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img

# ll -Z /var/lib/libvirt/images/rhel6.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img

4.Start the guest
# virsh start rhel6
Domain rhel6 started

5.Save the guest to the root directory while the guest start completely
# virsh save rhel6 rhel6.save

Domain rhel6 saved to rhel6.save

6.Restore the guest, will report the following error
# virsh restore rhel6.save
error: Failed to restore domain from rhel6.save
error: internal error: early end of file from monitor: possible problem:
load of migration failed







Verified this issue with libvirt-1.2.7-1.el7.x86_64:

1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--

3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img

# ll -Z /var/lib/libvirt/images/rhel6.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel6.img

4.Start the guest
# virsh start rhel6
Domain rhel6 started

5.Save the guest to the root directory while the guest start completely
# virsh save rhel6 rhel6.save

Domain rhel6 saved to rhel6.save


6.Restore the guest:
# virsh restore rhel6.save
Domain restored from rhel6.save
Comment 8 zhenfeng wang 2014-11-24 03:33:47 EST
Verify this bug with libvirt-1.2.8-8.el7.x86_64
steps
1.Enable security_driver in qemu.conf and in system
#cat /etc/libvirt/qemu.conf
security_driver='selinux'
# getenforce
Enforcing

2.Prepare a normal guest, add the following xml to the guest's xml
#virsh dumpxml rhel7.0
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--

3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.0.img

# ll -Z /var/lib/libvirt/images/rhel7.0.qcow2 
-rw-r--r--. qemu qemu system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.0.qcow2

4.Start the guest
# virsh start rhel7.0
Domain rhel7.0 started

5.Save the guest to the root directory while the guest start completely
# virsh save rhel7.0 rhel7.0.save

Domain rhel6 saved to rhel7.0.save

# ll -Z rhel7.0.save 
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 rhel7.0.save

6.Restore the guest:
# virsh restore rhel7.0.save
Domain restored from rhel7.0.save

# ll -Z rhel7.0.save
-rw-------. root root system_u:object_r:admin_home_t:s0 rhel7.0.save

7.Destroy the guest, then restore the guest with the previous save file
#virsh destroy rhel7.0

# virsh restore rhel7.0.save
Domain restored from rhel7.0.save

8.Edit step2's xml, set relabel=yes, then re-test step 3~7, get the same result 

9.Retry the static dac with the upper steps, all could get the expect result

According to the upper steps, mark this bug verified
Comment 10 errata-xmlrpc 2015-03-05 02:30:22 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.