Bug 1151819 - Vdsm images use less secure selinux label after a lv is refreshed
Summary: Vdsm images use less secure selinux label after a lv is refreshed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.5.0
Assignee: Nir Soffer
QA Contact: Aharon Canan
URL:
Whiteboard: storage
Depends On: 1149883
Blocks: 1073943 1152647 rhev3.5beta3
TreeView+ depends on / blocked
 
Reported: 2014-10-12 08:20 UTC by Tal Nisan
Modified: 2016-02-10 18:40 UTC (History)
18 users (show)

Fixed In Version: vdsm-4.16.7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1149883
: 1152647 (view as bug list)
Environment:
Last Closed: 2015-02-16 13:38:48 UTC
oVirt Team: Storage


Attachments (Terms of Use)
Logs01 (2.22 MB, application/x-gzip)
2014-10-30 12:30 UTC, Aharon Canan
no flags Details
/usr/lib/udev/rules.d/12-vdsm-lvm.rules (4.55 KB, text/plain)
2014-10-30 13:19 UTC, Aharon Canan
no flags Details


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 33875 None None None Never
oVirt gerrit 33931 ovirt-3.5 MERGED lvm: Do not use udev to set permissions on vdsm images Never

Description Tal Nisan 2014-10-12 08:20:02 UTC
+++ This bug was initially created as a clone of Bug #1149883 +++

Description of problem:

In Ovirt-3.5.0 on EL7 or Fedora, vdsm logical volumes are using
less secure selinux label compared with EL6.

When libvirt starts a vm, it apply "svirt_image_t:s0:cX,cY"
(where X and Y are unique per vm) to writable images, and
"virt_content_t" to readonly images. This separates virtual
machines from each other, preventing compromised qemu process
from writing into image belonging to another virtual machine.

When a volume becomes full, vdsm extends and refreshes the
volume. This causes a udev change event, which apply the static
selinux label "svirt_image_t", for both writable images and
readonly images.

The static selinux label is a temporary fix for bug 1127460. 
Without this fix, vms would pause after extend, making thin 
provisioning on block storage unusable.

The root cause is that udev changed the semantics of the udev
rules in Fedora 19 and later, as described in bug 1147910. 
We do not expect to get a fix from udev.


Steps to reproduce - leaf volume:

1. Create and start a vm with one thin provision disk
2. Find the storage domain id and disk lv name in vdsm log
3. Check the selinux label of the lv:
   ls -Z `realpath /dev/vgname/lvname`
4. Perform enough io so the disk would be extended (e.g. install os)
5. Check the selinux label of the lv again

Actual results:
Lv is using "svirt_image_t:s0" static label

Expected results:
Lv must use svirt_image_t:s0:cX,cY


Steps to reproduce - internal volume:

1. Create and start a vm with one thin provision disk and one snapshot
2. Find the storage domain id and disk lv name of the base volume in vdsm log
3. Check the selinux label of the lv:
   ls -Z `realpath /dev/vgname/lvname`
4. Refresh the lv
   lvchange --refresh --config "global {use_lvmetad=0}" vgname/lvname
5. Check the selinux label of the lv again

Actual results:
Lv is using "svirt_image_t:s0" static label

Expected results:
Lv must use "virt_content_t:s0"

--- Additional comment from Nir Soffer on 2014-10-06 18:24:34 EDT ---

The attached patch is required but does not fix this issue.

--- Additional comment from Nir Soffer on 2014-10-08 09:05:37 EDT ---

http://gerrit.ovirt.org/33874 is not required for this fix now. It will be available in the next version.

Comment 1 Scott Herold 2014-10-14 07:33:53 UTC
Missed cutoff for 3.4.3.  Moving to 3.4.4 due to:

1) RHEL 7 is only Tech Preview on 3.4, so bug is non-urgent
2) Current gerrit commit is a temporary fix
3) We cannot delay the release of 3.4.3 at this point in time

Comment 2 Nir Soffer 2014-10-14 15:17:32 UTC
(In reply to Scott Herold from comment #1)
> Missed cutoff for 3.4.3.  Moving to 3.4.4 due to:
> 
> 2) Current gerrit commit is a temporary fix

It is not temporary fix, this is the real fix. We are not expecting any other fix from platform or plan any other change.

If we have time to do a rebuild, there is no problem to include this fix.

Comment 4 Aharon Canan 2014-10-30 12:29:02 UTC
reproduced using vt8 over rhel7 host.

leaf volume before extend -
=========================== 
[root@blond-vdsf ~]# ls -Z `realpath /dev/e96df368-09d6-4c9e-ba6d-fd09f09edcbc/8fd3ef93-afa3-4a23-b468-0b0345f453c1`
brw-rw----. vdsm qemu system_u:object_r:svirt_image_t:s0:c43,c1008 /dev/dm-15

leaf volume after extend - 
==========================
[root@blond-vdsf ~]# ls -Z `realpath /dev/e96df368-09d6-4c9e-ba6d-fd09f09edcbc/8fd3ef93-afa3-4a23-b468-0b0345f453c1`
brw-rw----. vdsm qemu system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15

Comment 5 Aharon Canan 2014-10-30 12:30:31 UTC
Created attachment 952089 [details]
Logs01

Comment 6 Nir Soffer 2014-10-30 13:14:25 UTC
(In reply to Aharon Canan from comment #4)
> reproduced using vt8 over rhel7 host.

Please attach /usr/lib/udev/rules.d/12-vdsm-lvm.rules.

Comment 7 Aharon Canan 2014-10-30 13:19:29 UTC
Created attachment 952114 [details]
/usr/lib/udev/rules.d/12-vdsm-lvm.rules

Comment 8 Nir Soffer 2014-10-30 13:23:46 UTC
(In reply to Aharon Canan from comment #7)
> Created attachment 952114 [details]
> /usr/lib/udev/rules.d/12-vdsm-lvm.rules

This file does not include the fix - are you sure that vt8 is installed on this machine?

Comment 9 Aharon Canan 2014-10-30 13:47:40 UTC
You are right, used the wrong cluster in the setup by mistake.

Verified using vt8 over rhel7


Note You need to log in before you can comment on or make changes to this bug.