Bug 1138487 – one of guest will be shut off when restart libvirtd while disable the default security labeling

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1138487 - one of guest will be shut off when restart libvirtd while disable the default security labeling

Summary:	one of guest will be shut off when restart libvirtd while disable the default...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	x86_64 All

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Ján Tomko
QA Contact:	Virtualization Bugs
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1138488
	Show dependency tree / graph

Reported:	2014-09-04 20:53 EDT by Luyao Huang
Modified:	2015-03-05 02:43 EST (History)
CC List:	7 users (show)

See Also:
Fixed In Version:	libvirt-1.2.8-5.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Clones:	1138488 (view as bug list)
Environment:
Last Closed:	2015-03-05 02:43:56 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0323	normal	SHIPPED_LIVE	Low: libvirt security, bug fix, and enhancement update	2015-03-05 07:10:54 EST

Groups: None (edit)

Description Luyao Huang 2014-09-04 20:53:46 EDT

Description of problem:
one of guest will be shut off when restart libvirtd while disable the default security labeling  and running guest number > 1

Version-Release number of selected component (if applicable):
libvirt-1.2.8-1.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Disable the default security labeling in /etc/libvirt/qemu.conf
 security_default_confined = 0
 #service libvirtd restart

2.start two guest without config security label
# virsh start r6
Domain r6 started

# virsh start win7
Domain win7 started

# virsh dumpxml r6

  <seclabel type='none' model='selinux'/>

# virsh dumpxml win7

 <seclabel type='none' model='selinux'/>

3.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 2     r6                             running
 3     win7                           running

3.restart libvirtd
 #service libvirtd restart
4.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 3     win7                           running
 -     r6                             shut off

5.# ps aux|grep r6
root     19008  0.0  0.0 112640   964 pts/0    S+   12:51   0:00 grep --color=auto r6

Actual results:
one of guest will be shut off after libvirtd restart

Expected results:
all guest be running after restart libvirtd

Additional info:


Log from /var/log/libvirt/libvirtd.log:


2014-09-04 06:31:02.161+0000: 8826: info : libvirt version: 1.2.8, package: 1.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2014-09-02-05:19:38, x86-021.build.eng.bos.redhat.com)
2014-09-04 06:31:02.161+0000: 8826: error : qemuAgentIO:634 : internal error: End of file from monitor
2014-09-04 06:31:02.192+0000: 8881: error : virSecuritySELinuxReserveSecurityLabel:758 : internal error: MCS level for existing domain label  already reserved

Comment 2 Ján Tomko 2014-09-30 11:40:58 EDT

Fixed upstream by:
commit a48362cdfeb5c948218a2e4bf7cc9354082fc1b6
Author:     Shivaprasad G Bhat <shivaprasadbhat@gmail.com>
AuthorDate: 2014-09-04 14:42:32 +0530
Commit:     Martin Kletzander <mkletzan@redhat.com>
CommitDate: 2014-09-07 17:09:34 +0200

    selinux: Avoid label reservations for type = none
    
    For security type='none' libvirt according to the docs should not
    generate seclabel be it for selinux or any model. So, skip the
    reservation of labels when type is none.
    
    Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com>

git describe: v1.2.8-46-ga48362c contains: v1.2.9-rc1~218

Comment 5 vivian zhang 2014-10-13 23:24:50 EDT

I can reproduce with build: libvirt-1.2.8-1.el7.x86_64

verify with build : libvirt-1.2.8-5.el7.x86_64

step:
1.Disable the default security labeling in /etc/libvirt/qemu.conf
 security_default_confined = 0
 #service libvirtd restart

2.start two guest without config security label
# virsh start r6
Domain r6 started

# virsh start win7
Domain win7 started

# virsh dumpxml r6

  <seclabel type='none' model='selinux'/>

# virsh dumpxml win7

 <seclabel type='none' model='selinux'/>

3.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 22    win7                           running
 24    r6                             running


3.restart libvirtd
 #service libvirtd restart

4.# virsh list --all
 Id    Name                           State
----------------------------------------------------
 22    win7                           running
 24    r6                             running

5. ps check guest process exist
]# ps aux |grep win7
qemu      8632 35.5 14.0 1673940 1118920 ?     Sl   11:20   0:56 /usr/libexec/qemu-kvm -name win7 -S -machine pc-i440fx-rhel7.1.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 32aae2f3-cdcd-45fc-9a39-9f4a94aa7323 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/win7.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/kvm-win7-x86_64-qcow2.img,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=25,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:8c:38:a5,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=127.0.0.1,disable-ticketing,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
root      9297  0.0  0.0 112644   980 pts/0    S+   11:22   0:00 grep --color=auto win7

# ps aux |grep r6
qemu      8923 23.9  6.1 5717324 486480 ?      Sl   11:21   0:26 /usr/libexec/qemu-kvm -name r6 -S -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 626ab801-e31b-49e6-85f3-12bccff308ad -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/r6.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/r6.img,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=29 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c1:d0:23,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -vnc 127.0.0.1:0,websocket=5700 -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
root      9319  0.0  0.0 112640   976 pts/0    S+   11:23   0:00 grep --color=auto r6



move to verified.

Comment 7 errata-xmlrpc 2015-03-05 02:43:56 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.