Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1165485

Summary: libvirt should should add a check for disk seclabel model settings
Product: Red Hat Enterprise Linux 7 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: Erik Skultety <eskultet>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: dyuan, eskultet, madko, mzhan, rbalakri, zhwang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.2.13-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 05:56:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luyao Huang 2014-11-19 03:55:22 UTC 
Description of problem:
libvirt should should add a check for seclabel model settings in disk

Version-Release number of selected component (if applicable):

libvirt-1.2.8-7.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
S1:
1. # virsh dumpxml test5|grep -3 aa
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='aaa' relabel='yes'>
          <label>1234567890</label>
        </seclabel>
      </source>

2.# getenforce 
Enforcing

3.# virsh start test5
Domain test5 started

4.guest start normal can see this config in guest xml and no warning no error in log

# virsh dumpxml test5|grep -3 aa
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='aaa' relabel='yes'>
          <label>1234567890</label>
        </seclabel>
      </source>

S2:

1.prepare a guest have 3 seclabel in xml
<disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c5,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>1234567</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>

2.# virsh start test5
Domain test5 started

3.# virsh dumpxml test5

    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none'/>
      <source file='/var/lib/libvirt/images/r6.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c5,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>1234567</label>
        </seclabel>
      </source>
      <backingStore/>
      <target dev='hda' bus='ide'/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>


Actual results:
S1: libvirt ignore the config set when start vm but we can see it via dumpxml 
S2: libvirt only check the first valid selinux image label

Expected results:
S1: report error when try to edit a invalid seclabel model or when start it
S2: forbid several disk seclabel settings

Additional info:

If libvirt want ignore it when start the guest, should give a error or warning in libvirtd.log.
Comment 1 Erik Skultety 2015-02-19 12:32:14 UTC 
Fixed upstream:
    S1:
    commit c3d9d3bbc99b6694b713f6de4198e285ba944f03
    Author: Erik Skultety <eskultet>
    Date:   Thu Feb 12 18:32:40 2015 +0100

    security: introduce virSecurityManagerCheckAllLabel function
    
    We do have a check for valid per-domain security model, however we still
    do permit an invalid security model for a domain's device (those which
    are specified with <source> element).
    This patch introduces a new function virSecurityManagerCheckAllLabel
    which compares user specified security model against currently
    registered security drivers. That being said, it also permits 'none'
    being specified as a device security model.
    
    v1.2.12-133-gc3d9d3b
================================================================================
    S2:
    commit 357f0072caac4d9a0bf887393e01007ffd8297f1
    Author: Erik Skultety <eskultet>
    Date:   Tue Feb 10 17:17:35 2015 +0100

    conf: forbid seclabel duplicates for domain devices
    
    Parser checks for per-domain seclabel duplicates, so it would be nice if
    it checked for per-device seclabel duplicates the same way

    v1.2.12-106-g357f007
Comment 4 zhenfeng wang 2015-05-05 10:00:01 UTC 
Verify this bug with libvirt-1.2.15-1.el7.x86_64
s1
1.Prepare a guest with an invalid seclabel model
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel7.img'>
        <seclabel model='aaa' relabel='yes'>
          <label>1234567890</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>

2.Start guest, the guest will fail to start and report an expect error
# virsh start rhel7
error: Failed to start domain rhel7
error: unsupported configuration: Unable to find security driver for model aaa

s2
1.prepare a guest have 3 same seclabel in xml
#virsh edit rhel7
--
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel7.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c5,c968</label>
        </seclabel>
        <seclabel model='selinux' relabel='yes'>
          <label>1234567</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>


2.Save the guest's xml, will fail to save the guest's xml and get an expect 
:wq
error: seclabel for model selinux is already provided
Failed. Try again? [y,n,i,f,?]:

s3
1.Set multi different label for the guest
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel7.img'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0:c555,c968</label>
        </seclabel>
        <seclabel model='dac' relabel='yes'>
          <label>qemu:root</label>
        </seclabel>
        <seclabel model='none' relabel='yes'>
          <label>test1:test1</label>
        </seclabel>
      </source>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
</device>
  <seclabel type='static' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c555,c968</label>
  </seclabel>

2.Start the guest, the guest start successfully
#virsh start rhel7

# ps -efZ|grep qemu
system_u:system_r:svirt_t:s0:c555,c968 qemu 20530  1 99 17:17 ?        00:00:21 /usr/libexec/qemu-kvm -name rhel7 


According to the upper steps, mark this bug verifed
Comment 6 errata-xmlrpc 2015-11-19 05:56:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html