Bug 1153891 - Guest start failed when configure security_driver = ["selinux", "selinux"] in qemu.conf
Summary: Guest start failed when configure security_driver = ["selinux", "selinux"] in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Ján Tomko
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1153903
TreeView+ depends on / blocked
 
Reported: 2014-10-17 05:08 UTC by vivian zhang
Modified: 2015-11-19 05:54 UTC (History)
6 users (show)

Fixed In Version: libvirt-1.2.13-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1153903 (view as bug list)
Environment:
Last Closed: 2015-11-19 05:54:09 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2202 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2015-11-19 08:17:58 UTC

Description vivian zhang 2014-10-17 05:08:38 UTC
Description of problem:
[sVirt]Guest start failed when configure security_driver = ["selinux", "selinux"] in qemu.conf, meanwhile libvirtd restart success without any error.

Version-Release number of selected component (if applicable):
libvirt-1.2.8-5.el7.x86_64
qemu-kvm-rhev-2.1.2-3.el7.x86_64
kernel-3.10.0-188.el7.x86_64


How reproducible:
100%

Steps to Reproduce:

1. Prepare a normal guest in shut off state.
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 -     test                           shut off
 
2. Configure security driver in /etc/lib/qemu.conf as below.
security_driver = ["selinux","selinux"]

3. Restart libvirtd process
# service libvirtd restart

4. Check libvirtd process status is active without any error.
# ps aux |grep libvirtd
root     21097  2.8  0.2 1088924 22488 ?       Ssl  16:30   0:03 /usr/sbin/libvirtd --listen
root     21353  0.0  0.0 112640   984 pts/1    S+   16:32   0:00 grep --color=auto libvirtd

5. Start the guest failed, there is an error reported.

# virsh start test
error: Failed to start domain test
error: internal error: security label already defined for VM

6. No matter setenforce=1 or 0, guest start always failed with this error.

7. No matter configure selinux type = none, dynamic, or static in guest xml, guest start always failed with error.
<seclabel type='none' model='selinux'/>
<seclabel type='dynamic' model='selinux' relabel='yes'/>
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c330,c806</label>
  </seclabel>

8. the issue also hit on RHEL6.6

Actual results:
Guest start failed when configure security_driver = ["selinux", "selinux"] in qemu.conf.


Expected results:
If configure selinux driver = selinux twice is not permitted, libvirtd restart should check with fail and report reliable error information in log.
If configure selinux driver = selinux twice is permitted, guest start should success with this condition.


Additional info:

Comment 2 Ján Tomko 2015-01-19 11:51:48 UTC
Upstream patch:
https://www.redhat.com/archives/libvir-list/2015-January/msg00647.html

Comment 3 Ján Tomko 2015-01-19 13:04:57 UTC
Fixed upstream by:
commit d16704fd60f55251bb442d3a3efdf8dc494ce2e5
Author:     Ján Tomko <jtomko@redhat.com>
CommitDate: 2015-01-19 12:46:37 +0100

    qemu_conf: check for duplicate security drivers
    
    Using the same driver multiple times is pointless and
    it can result in confusing errors:
    
    $ virsh start test
    error: Failed to start domain test
    error: internal error: security label already defined for VM
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1153891

git describe: v1.2.11-205-gd16704f

Comment 5 zhenfeng wang 2015-04-27 11:34:45 UTC
Could reproduce this bug with comment0's step,Verify this bug with libvirt-1.2.14-1.el7.x86_64, the verfify steps as following
1.Configure security driver in /etc/lib/qemu.conf as below.
security_driver = ["selinux","selinux"]

2.Restart libvirtd.the libvirtd will fail to start with the expect error
2015-04-27 11:28:27.699+0000: 15813: error : virQEMUDriverConfigLoadFile:535 : configuration file syntax error: Duplicate security driver selinux
2015-04-27 11:28:27.699+0000: 15813: error : virStateInitialize:783 : Initialization of QEMU state driver failed: configuration file syntax error: Duplicate security driver selinux
2015-04-27 11:28:27.699+0000: 15813: error : daemonRunStateInit:909 : Driver state initialization failed


3.Configure security driver in /etc/lib/qemu.conf as below
security_driver = ["selinux","abc"]

4.Restart libvirtd. the libvirtd will fail to start with the following error
2015-04-27 11:32:10.328+0000: 16843: error : qemuSecurityInit:449 : Failed to initialize security drivers
2015-04-27 11:32:10.328+0000: 16843: error : virStateInitialize:783 : Initialization of QEMU state driver failed: internal error: Security driver abc not found
2015-04-27 11:32:10.328+0000: 16843: error : daemonRunStateInit:909 : Driver state initialization failed

Comment 7 zhenfeng wang 2015-07-16 08:00:59 UTC
Retest comment 5 with the libvirt-1.2.17-1.el7.x86_64, could also get the same result, so mark this bug verifed

Comment 10 errata-xmlrpc 2015-11-19 05:54:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html


Note You need to log in before you can comment on or make changes to this bug.