Hide Forgot
Description of problem: [sVirt]Guest start failed when configure security_driver = ["selinux", "selinux"] in qemu.conf, meanwhile libvirtd restart success without any error. Version-Release number of selected component (if applicable): libvirt-1.2.8-5.el7.x86_64 qemu-kvm-rhev-2.1.2-3.el7.x86_64 kernel-3.10.0-188.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Prepare a normal guest in shut off state. # virsh list --all Id Name State ---------------------------------------------------- - test shut off 2. Configure security driver in /etc/lib/qemu.conf as below. security_driver = ["selinux","selinux"] 3. Restart libvirtd process # service libvirtd restart 4. Check libvirtd process status is active without any error. # ps aux |grep libvirtd root 21097 2.8 0.2 1088924 22488 ? Ssl 16:30 0:03 /usr/sbin/libvirtd --listen root 21353 0.0 0.0 112640 984 pts/1 S+ 16:32 0:00 grep --color=auto libvirtd 5. Start the guest failed, there is an error reported. # virsh start test error: Failed to start domain test error: internal error: security label already defined for VM 6. No matter setenforce=1 or 0, guest start always failed with this error. 7. No matter configure selinux type = none, dynamic, or static in guest xml, guest start always failed with error. <seclabel type='none' model='selinux'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_t:s0:c330,c806</label> </seclabel> 8. the issue also hit on RHEL6.6 Actual results: Guest start failed when configure security_driver = ["selinux", "selinux"] in qemu.conf. Expected results: If configure selinux driver = selinux twice is not permitted, libvirtd restart should check with fail and report reliable error information in log. If configure selinux driver = selinux twice is permitted, guest start should success with this condition. Additional info:
Upstream patch: https://www.redhat.com/archives/libvir-list/2015-January/msg00647.html
Fixed upstream by: commit d16704fd60f55251bb442d3a3efdf8dc494ce2e5 Author: Ján Tomko <jtomko> CommitDate: 2015-01-19 12:46:37 +0100 qemu_conf: check for duplicate security drivers Using the same driver multiple times is pointless and it can result in confusing errors: $ virsh start test error: Failed to start domain test error: internal error: security label already defined for VM https://bugzilla.redhat.com/show_bug.cgi?id=1153891 git describe: v1.2.11-205-gd16704f
Could reproduce this bug with comment0's step,Verify this bug with libvirt-1.2.14-1.el7.x86_64, the verfify steps as following 1.Configure security driver in /etc/lib/qemu.conf as below. security_driver = ["selinux","selinux"] 2.Restart libvirtd.the libvirtd will fail to start with the expect error 2015-04-27 11:28:27.699+0000: 15813: error : virQEMUDriverConfigLoadFile:535 : configuration file syntax error: Duplicate security driver selinux 2015-04-27 11:28:27.699+0000: 15813: error : virStateInitialize:783 : Initialization of QEMU state driver failed: configuration file syntax error: Duplicate security driver selinux 2015-04-27 11:28:27.699+0000: 15813: error : daemonRunStateInit:909 : Driver state initialization failed 3.Configure security driver in /etc/lib/qemu.conf as below security_driver = ["selinux","abc"] 4.Restart libvirtd. the libvirtd will fail to start with the following error 2015-04-27 11:32:10.328+0000: 16843: error : qemuSecurityInit:449 : Failed to initialize security drivers 2015-04-27 11:32:10.328+0000: 16843: error : virStateInitialize:783 : Initialization of QEMU state driver failed: internal error: Security driver abc not found 2015-04-27 11:32:10.328+0000: 16843: error : daemonRunStateInit:909 : Driver state initialization failed
Retest comment 5 with the libvirt-1.2.17-1.el7.x86_64, could also get the same result, so mark this bug verifed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2202.html