1149883 – Vdsm images use less secure selinux label after a lv is refreshed

Bug 1149883 - Vdsm images use less secure selinux label after a lv is refreshed

Summary: Vdsm images use less secure selinux label after a lv is refreshed

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	oVirt
Classification:	Retired
Component:	vdsm
Sub Component:
Version:	3.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	3.5.0
Assignee:	Nir Soffer
QA Contact:	Ori Gofen
Docs Contact:
URL:
Whiteboard:	storage
Depends On:
Blocks:	1073943 1151819
TreeView+	depends on / blocked

Reported:	2014-10-06 20:13 UTC by Nir Soffer
Modified:	2016-02-10 19:43 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1151819 (view as bug list)
Environment:
Last Closed:	2014-10-17 12:25:18 UTC
oVirt Team:	Storage
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	33875	0	master	MERGED	lvm: Do not use udev to set permissions on vdsm images	Never
oVirt gerrit	33931	0	ovirt-3.5	MERGED	lvm: Do not use udev to set permissions on vdsm images	Never

Description Nir Soffer 2014-10-06 20:13:10 UTC

Description of problem:

In Ovirt-3.5.0 on EL7 or Fedora, vdsm logical volumes are using
less secure selinux label compared with EL6.

When libvirt starts a vm, it apply "svirt_image_t:s0:cX,cY"
(where X and Y are unique per vm) to writable images, and
"virt_content_t" to readonly images. This separates virtual
machines from each other, preventing compromised qemu process
from writing into image belonging to another virtual machine.

When a volume becomes full, vdsm extends and refreshes the
volume. This causes a udev change event, which apply the static
selinux label "svirt_image_t", for both writable images and
readonly images.

The static selinux label is a temporary fix for bug 1127460. 
Without this fix, vms would pause after extend, making thin 
provisioning on block storage unusable.

The root cause is that udev changed the semantics of the udev
rules in Fedora 19 and later, as described in bug 1147910. 
We do not expect to get a fix from udev.


Steps to reproduce - leaf volume:

1. Create and start a vm with one thin provision disk
2. Find the storage domain id and disk lv name in vdsm log
3. Check the selinux label of the lv:
   ls -Z `realpath /dev/vgname/lvname`
4. Perform enough io so the disk would be extended (e.g. install os)
5. Check the selinux label of the lv again

Actual results:
Lv is using "svirt_image_t:s0" static label

Expected results:
Lv must use svirt_image_t:s0:cX,cY


Steps to reproduce - internal volume:

1. Create and start a vm with one thin provision disk and one snapshot
2. Find the storage domain id and disk lv name of the base volume in vdsm log
3. Check the selinux label of the lv:
   ls -Z `realpath /dev/vgname/lvname`
4. Refresh the lv
   lvchange --refresh --config "global {use_lvmetad=0}" vgname/lvname
5. Check the selinux label of the lv again

Actual results:
Lv is using "svirt_image_t:s0" static label

Expected results:
Lv must use "virt_content_t:s0"

Comment 1 Nir Soffer 2014-10-06 22:24:34 UTC

The attached patch is required but does not fix this issue.

Comment 2 Nir Soffer 2014-10-08 13:05:37 UTC

http://gerrit.ovirt.org/33874 is not required for this fix now. It will be available in the next version.

Comment 3 Sandro Bonazzola 2014-10-17 12:25:18 UTC

oVirt 3.5 has been released and should include the fix for this issue.

Note You need to log in before you can comment on or make changes to this bug.