Description of problem: In Ovirt-3.5.0 on EL7 or Fedora, vdsm logical volumes are using less secure selinux label compared with EL6. When libvirt starts a vm, it apply "svirt_image_t:s0:cX,cY" (where X and Y are unique per vm) to writable images, and "virt_content_t" to readonly images. This separates virtual machines from each other, preventing compromised qemu process from writing into image belonging to another virtual machine. When a volume becomes full, vdsm extends and refreshes the volume. This causes a udev change event, which apply the static selinux label "svirt_image_t", for both writable images and readonly images. The static selinux label is a temporary fix for bug 1127460. Without this fix, vms would pause after extend, making thin provisioning on block storage unusable. The root cause is that udev changed the semantics of the udev rules in Fedora 19 and later, as described in bug 1147910. We do not expect to get a fix from udev. Steps to reproduce - leaf volume: 1. Create and start a vm with one thin provision disk 2. Find the storage domain id and disk lv name in vdsm log 3. Check the selinux label of the lv: ls -Z `realpath /dev/vgname/lvname` 4. Perform enough io so the disk would be extended (e.g. install os) 5. Check the selinux label of the lv again Actual results: Lv is using "svirt_image_t:s0" static label Expected results: Lv must use svirt_image_t:s0:cX,cY Steps to reproduce - internal volume: 1. Create and start a vm with one thin provision disk and one snapshot 2. Find the storage domain id and disk lv name of the base volume in vdsm log 3. Check the selinux label of the lv: ls -Z `realpath /dev/vgname/lvname` 4. Refresh the lv lvchange --refresh --config "global {use_lvmetad=0}" vgname/lvname 5. Check the selinux label of the lv again Actual results: Lv is using "svirt_image_t:s0" static label Expected results: Lv must use "virt_content_t:s0"
The attached patch is required but does not fix this issue.
http://gerrit.ovirt.org/33874 is not required for this fix now. It will be available in the next version.
oVirt 3.5 has been released and should include the fix for this issue.