Red Hat Bugzilla – Bug 1105939
Fail to start guest while disable the default security labeling
Last modified: 2015-03-05 02:37:29 EST
Description of problem: Fail to start guest while set security_default_confined = 0 in qemu.conf and add <seclabel type='none' model='dac'/> in guest's xml Version-Release number of selected component (if applicable): qemu-kvm-rhev-1.5.3-60.el7ev_0.2.x86_64 libvirt-1.1.1-29.el7.x86_64 kernel-3.10.0-123.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.Disable the default security labeling in /etc/libvirt/qemu.conf security_default_confined = 0 #service libvirtd restart 2.Start a normal guest #virsh start rhel7 3.After the guest start, check the guest's xml we could see the following content was added automatically. #virsh dumpxml rhel7 -- <seclabel type='none' model='selinux'/> -- 4.Destroy the guest, then add the following content to the guest's xml # virsh dumpxml rhel7 |grep dac <seclabel type='none' model='dac'/> 5.Start the guest, the guest will fail to start with unknow error # virsh start rhel7 error: Failed to start domain rhel7 error: An error occurred, but the cause is unknown 6.Re-try the upper steps with rhel6.6, also fail to start the guest, however got a different error, also got some info from the libvirt and qemu's log # virsh start rhel7k error: Failed to start domain rhel7k error: internal error Unknown failure during hook execution check the libvirtd log 2014-06-04 07:09:53.842+0000: 11599: error : virCommandHandshakeWait:2460 : internal error Unknown failure during hook execution check the qemu log 2014-06-04 07:09:53.792+0000: starting up LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -name rhel7k -S -M rhel6.4.0 -enable-kvm -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 995a1b49-0924-ea37-107b-d9531cb6f59a -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/rhel7k.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -drive file=/var/lib/libvirt/images/rhel7.img,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=22,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:38:0c:9f,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/rhel7k.agent,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -chardev socket,id=charchannel1,path=/var/lib/libvirt/qemu/rhel7k.agent,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=3,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel2,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel2,id=channel2,name=com.redhat.spice.0 -spice port=5900,addr=127.0.0.1,disable-ticketing,seamless-migration=on -vga qxl -global qxl-vga.ram_size=67108864 -global qxl-vga.vram_size=67108864 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 -msg timestamp=on libvirt: error : An error occurred, but the cause is unknown 2014-06-04 07:09:53.843+0000: shutting down Actual results: Fail to start guest with unknown failure Expected results: If we allow start guest in this scenario, the guest should be start successfully, if not, it should give clear error
Fixed upstream by: commit f9bf63e673c11cd189748c29b6ea7d2cf19c8da7 Author: Ján Tomko <jtomko@redhat.com> AuthorDate: 2014-06-09 16:23:52 +0200 Commit: Ján Tomko <jtomko@redhat.com> CommitDate: 2014-06-10 10:18:24 +0200 SELinux: don't fail silently when no label is present This fixes startup of a domain with: <seclabel type='none' model='dac'/> on a host with selinux and dac drivers and security_default_confined = 0 https://bugzilla.redhat.com/show_bug.cgi?id=1105939 https://bugzilla.redhat.com/show_bug.cgi?id=1102611 git describe: v1.2.5-81-gf9bf63e
I could reproduce it with libvirt-1.1.1-29.el7.x86_64 as following steps: 1.Disable the default security labeling in /etc/libvirt/qemu.conf security_default_confined = 0 #service libvirtd restart 2.Start a normal guest #virsh start rhel6 3.After the guest start, check the guest's xml we could see the following content was added automatically. #virsh dumpxml rhel6 -- <seclabel type='none' model='selinux'/> -- 4.Destroy the guest, then add the following content to the guest's xml # virsh dumpxml rhel6 |grep dac <seclabel type='none' model='dac'/> 5.Start the guest, the guest will fail to start with unknow error # virsh start rhel6 error: Failed to start domain rhel6 error: An error occurred, but the cause is unknown
Verified this with libvirt-1.2.7-1.el7.x86_64: 1.Disable the default security labeling in /etc/libvirt/qemu.conf security_default_confined = 0 #service libvirtd restart 2.Start a normal guest #virsh start rhel6 3.After the guest start, check the guest's xml we could see the following content was added automatically. #virsh dumpxml rhel6 -- <seclabel type='none' model='selinux'/> -- 4.Destroy the guest, then add the following content to the guest's xml # virsh dumpxml rhel6 |grep dac <seclabel type='none' model='dac'/> 5.Start the guest, the guest could start successfully: # virsh start rhel6 Domain rhel6 started
hi Jan Tomko, I have found a issue with libvirt-1.2.8-1: 1.Disable the default security labeling in /etc/libvirt/qemu.conf security_default_confined = 0 #service libvirtd restart 2.start two guest without config security label # virsh start r6 Domain r6 started # virsh start win7 Domain win7 started # virsh dumpxml r6 <seclabel type='none' model='selinux'/> # virsh dumpxml win7 <seclabel type='none' model='selinux'/> 3.# virsh list --all Id Name State ---------------------------------------------------- 2 r6 running 3 win7 running 3.restart libvirtd #service libvirtd restart 4.# virsh list --all Id Name State ---------------------------------------------------- 5 win7 running - r6 shut off 5.# ps aux|grep r6 root 19008 0.0 0.0 112640 964 pts/0 S+ 12:51 0:00 grep --color=auto r6 Is this issue is the same issue with this bug and will fix in this bug? Or a new bug? Thanks, Luyao Huang
Log from /var/log/libvirt/libvirtd.log: 2014-09-04 06:31:02.161+0000: 8826: info : libvirt version: 1.2.8, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-09-02-05:19:38, x86-021.build.eng.bos.redhat.com) 2014-09-04 06:31:02.161+0000: 8826: error : qemuAgentIO:634 : internal error: End of file from monitor 2014-09-04 06:31:02.192+0000: 8881: error : virSecuritySELinuxReserveSecurityLabel:758 : internal error: MCS level for existing domain label already reserved
(In reply to Luyao Huang from comment #6) Hi, that's a new bug.
(In reply to Jan Tomko from comment #8) > (In reply to Luyao Huang from comment #6) > Hi, that's a new bug. Thanks,and filed a new bug 1138487 in RHEL7 and clone a bug 1138488 in RHEL6
Verify the bug with libvirt-1.2.8-8.el7.x86_64 steps 1.Disable the default security labeling in /etc/libvirt/qemu.conf security_default_confined = 0 #service libvirtd restart 2.Start a normal guest #virsh start rhel7 3.After the guest start, check the guest's xml we could see the following content was added automatically. #virsh dumpxml rhel7 -- <seclabel type='none' model='selinux'/> -- 4.Destroy the guest, then add the following content to the guest's xml # virsh dumpxml rhel7 |grep dac <seclabel type='none' model='dac'/> 5.Start the guest, the guest will fail to start since libvirt won't change the uid and gid of the vm and vm image with type='none' model='dac' seclabel configured, this is the expect result, more explanation, you can refer the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1108593#c7 # virsh start rhel7.0 error: Failed to start domain rhel7.0 error: internal error: process exited while connecting to monitor: 2014-11-25T08:37:13.827751Z qemu-kvm: -drive file=/var/lib/libvirt/images/rhel7.0.qcow2,if=none,id=drive-virtio-disk0,format=qcow2: could not open disk image /var/lib/libvirt/images/rhel7.0.qcow2: Could not open '/var/lib/libvirt/images/rhel7.0.qcow2': Permission denied 6.Retest the steps in comment6 with the latest libvirt packet, all steps could get the expect result, so mark this bug verifed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0323.html