1157252 – External luns may loose the libvirt selinux label if a udev change event is triggered

Bug 1157252 - External luns may loose the libvirt selinux label if a udev change event is triggered

Summary: External luns may loose the libvirt selinux label if a udev change event is t...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	vdsm
Sub Component:
Version:	3.5.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.5.0
Assignee:	Nir Soffer
QA Contact:	Elad
Docs Contact:
URL:
Whiteboard:	storage
Depends On:	1152661
Blocks:	1157688
TreeView+	depends on / blocked

Reported:	2014-10-26 17:20 UTC by Tal Nisan
Modified:	2016-02-10 17:34 UTC (History)
CC List:	12 users (show)
Fixed In Version:	vt8
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1152661
Clones:	1157688 (view as bug list)
Environment:
Last Closed:	2015-02-16 13:40:16 UTC
oVirt Team:	Storage
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	34162	0	ovirt-3.5	MERGED	supervdsmServer: Do not use udev to set permissions on external luns	Never

Description Tal Nisan 2014-10-26 17:20:55 UTC

+++ This bug was initially created as a clone of Bug #1152661 +++

Description of problem:

Before plugging external luns to vms, we setup up a temporary udev rule
for setting device permissions. Using this rule will cause the device to
loose the libvirt selinux label if a device has a change event, and 
running with recent systemd-udevd (e.g. Fedora 19 and later, EL 7).

This is the same issue we had with vdsm images, (bug 1127460) but with
external luns we do not trigger change events, so the issue is unlikely.
However, if it happens, it will cause a vm to pause.

Version-Release number of selected component (if applicable):
vdsm master Oct 10.

How reproducible:
Always

Steps to Reproduce:
1. Start a vm using an external lun for one of the disks
2. Trigger a change event on a device used as external lun
   udevadm trigger --verbose --action change \
      --property-match=DM_NAME=1IET_0006000a

You need to replace 1IET_0006000a with the actual device name, can be
found using multipath -ll.

Actual results:
The device will loose the svirt_image_t:s0:cxxx,cyyy label, and will get the default label fixed_disk_device_t:s0 intead. This will cause the vm to pause.

Expected results:
Libvirt sexlinux label kept and vm keep running.

Comment 2 Allon Mureinik 2014-11-20 19:17:37 UTC

The 3.5 patch is merged.
Moving to MODIFIED.

Comment 3 Elad 2014-11-25 09:54:15 UTC

SElinux label is kept for a direct LUN while it is attached to a running VM.


[root@green-vdsb dev]# multipath -ll |grep 3514f0c5447600438
3514f0c5447600438 dm-21 XtremIO ,XtremApp 

[root@green-vdsb dev]# ls -Z |grep dm-21
brw-rw----. root disk    system_u:object_r:fixed_disk_device_t:s0 dm-21

Started the VM:

[root@green-vdsb dev]# ls -Z |grep dm-21
brw-rw----. vdsm qemu    system_u:object_r:svirt_image_t:s0:c203,c878 dm-21


Changed label:

[root@green-vdsb dev]# udevadm trigger --verbose --action change --property-match=3514f0c5447600438
[root@green-vdsb dev]# ls -Z |grep dm-21
brw-rw----. vdsm qemu    system_u:object_r:svirt_image_t:s0:c203,c878 dm-21

Checked on iSCSI and FC
Verified using rhev 3.5 vt11

Comment 4 Allon Mureinik 2014-11-25 20:48:31 UTC

Nit, iiuc, there is nothing customer-facing to document here.
Can you please either confirm and set requires-doctext-, or provide the relevant documentation?
Thanks!

Comment 5 Nir Soffer 2014-11-25 21:04:10 UTC

(In reply to Allon Mureinik from comment #4)
> Nit, iiuc, there is nothing customer-facing to document here.
> Can you please either confirm and set requires-doctext-, or provide the
> relevant documentation?

I agree.

Note You need to log in before you can comment on or make changes to this bug.