+++ This bug was initially created as a clone of Bug #1149883 +++ Description of problem: In Ovirt-3.5.0 on EL7 or Fedora, vdsm logical volumes are using less secure selinux label compared with EL6. When libvirt starts a vm, it apply "svirt_image_t:s0:cX,cY" (where X and Y are unique per vm) to writable images, and "virt_content_t" to readonly images. This separates virtual machines from each other, preventing compromised qemu process from writing into image belonging to another virtual machine. When a volume becomes full, vdsm extends and refreshes the volume. This causes a udev change event, which apply the static selinux label "svirt_image_t", for both writable images and readonly images. The static selinux label is a temporary fix for bug 1127460. Without this fix, vms would pause after extend, making thin provisioning on block storage unusable. The root cause is that udev changed the semantics of the udev rules in Fedora 19 and later, as described in bug 1147910. We do not expect to get a fix from udev. Steps to reproduce - leaf volume: 1. Create and start a vm with one thin provision disk 2. Find the storage domain id and disk lv name in vdsm log 3. Check the selinux label of the lv: ls -Z `realpath /dev/vgname/lvname` 4. Perform enough io so the disk would be extended (e.g. install os) 5. Check the selinux label of the lv again Actual results: Lv is using "svirt_image_t:s0" static label Expected results: Lv must use svirt_image_t:s0:cX,cY Steps to reproduce - internal volume: 1. Create and start a vm with one thin provision disk and one snapshot 2. Find the storage domain id and disk lv name of the base volume in vdsm log 3. Check the selinux label of the lv: ls -Z `realpath /dev/vgname/lvname` 4. Refresh the lv lvchange --refresh --config "global {use_lvmetad=0}" vgname/lvname 5. Check the selinux label of the lv again Actual results: Lv is using "svirt_image_t:s0" static label Expected results: Lv must use "virt_content_t:s0" --- Additional comment from Nir Soffer on 2014-10-06 18:24:34 EDT --- The attached patch is required but does not fix this issue. --- Additional comment from Nir Soffer on 2014-10-08 09:05:37 EDT --- http://gerrit.ovirt.org/33874 is not required for this fix now. It will be available in the next version.
Missed cutoff for 3.4.3. Moving to 3.4.4 due to: 1) RHEL 7 is only Tech Preview on 3.4, so bug is non-urgent 2) Current gerrit commit is a temporary fix 3) We cannot delay the release of 3.4.3 at this point in time
(In reply to Scott Herold from comment #1) > Missed cutoff for 3.4.3. Moving to 3.4.4 due to: > > 2) Current gerrit commit is a temporary fix It is not temporary fix, this is the real fix. We are not expecting any other fix from platform or plan any other change. If we have time to do a rebuild, there is no problem to include this fix.
reproduced using vt8 over rhel7 host. leaf volume before extend - =========================== [root@blond-vdsf ~]# ls -Z `realpath /dev/e96df368-09d6-4c9e-ba6d-fd09f09edcbc/8fd3ef93-afa3-4a23-b468-0b0345f453c1` brw-rw----. vdsm qemu system_u:object_r:svirt_image_t:s0:c43,c1008 /dev/dm-15 leaf volume after extend - ========================== [root@blond-vdsf ~]# ls -Z `realpath /dev/e96df368-09d6-4c9e-ba6d-fd09f09edcbc/8fd3ef93-afa3-4a23-b468-0b0345f453c1` brw-rw----. vdsm qemu system_u:object_r:fixed_disk_device_t:s0 /dev/dm-15
Created attachment 952089 [details] Logs01
(In reply to Aharon Canan from comment #4) > reproduced using vt8 over rhel7 host. Please attach /usr/lib/udev/rules.d/12-vdsm-lvm.rules.
Created attachment 952114 [details] /usr/lib/udev/rules.d/12-vdsm-lvm.rules
(In reply to Aharon Canan from comment #7) > Created attachment 952114 [details] > /usr/lib/udev/rules.d/12-vdsm-lvm.rules This file does not include the fix - are you sure that vt8 is installed on this machine?
You are right, used the wrong cluster in the setup by mistake. Verified using vt8 over rhel7