RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1371125 - [regression] Permission denied when start a guest with file type serial port
Summary: [regression] Permission denied when start a guest with file type serial port
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ján Tomko
QA Contact: Virtualization Bugs
URL:
Whiteboard:
: 1502879 (view as bug list)
Depends On:
Blocks: 1378803
TreeView+ depends on / blocked
 
Reported: 2016-08-29 12:05 UTC by Jingjing Shao
Modified: 2021-06-10 11:29 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1378803 (view as bug list)
Environment:
Last Closed: 2016-09-12 16:15:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jingjing Shao 2016-08-29 12:05:09 UTC
Description of problem:
Permission denied when start a guest with file type serial port 

Version-Release number of selected component (if applicable):
libvirt-2.0.0-6.el7.x86_64
qemu-kvm-rhev-2.6.0-22.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
[on guest]
1. Add console=ttyS0,115200 to guest kernel line.

[on host]
1.# mkdir /test
2.Add the following XML to a domain, and delete other serial nodes.
<serial type="file">
   <source path="/test/vm-serial.log"/>
   <target port="1"/>
</serial>
3. Start the domain.
# virsh start vm-jishao
error: Failed to start domain vm-jishao
error: Unable to open file: /test/vm-serial.log: Permission denied


Actual results:
can not start the guest with file type serial port 

Expected results:
It should start successfully

Additional info:
Testing with libvirt-1.2.17-13.el7.x86_64 and qemu-kvm-1.5.3-105.el7.x86_64
the guest can start successfully

Comment 2 Jingjing Shao 2016-08-30 03:13:23 UTC
With  RHEL7.2 release os + qemu-kvm + libvirt,I can not reproduce the issue,the result is as below

kernel-3.10.0-327.el7.x86_64,
qemu-kvm-1.5.3-105.el7.x86_64,
libvirt-1.2.17-13.el7.x86_64

[on guest]
1. Add console=ttyS0,115200 to guest kernel line.

[on host]
1.# mkdir /test
2.Add the following XML to a domain, and delete other serial nodes.
<serial type="file">
   <source path="/test/vm-serial.log"/>
   <target port="1"/>
</serial>

3. Start the domain.
# virsh start vm-jishao
Domain vm-jishao started

4.# virsh dumpxml vm-jishao | grep serial -A8
    <serial type='file'>
      <source path='/test/vm-serial.log'/>
      <target port='1'/>
      <alias name='serial0'/>
    </serial>
    <console type='file'>
      <source path='/test/vm-serial.log'/>
      <target type='serial' port='1'/>
      <alias name='serial0'/>
    </console>

Comment 4 Jingjing Shao 2016-09-08 07:45:29 UTC
I try the start the guest when set selinux Permissive, the guest can be started successfully but the file can not print any log of guest

libvirt-2.0.0-6.el7.x86_64

1.# mkdir /test
2.Add the following XML to a domain, and delete other serial nodes.
<serial type="file">
   <source path="/test/vm-serial.log"/>
   <target port="1"/>
</serial>

3.# setenforce 0
  # getenforce
   Permissive

 
4. Start the domain.
# virsh start r7.2
Domain r7.2 started

5.# cat vm-serial.log     
  #
  # 
  #

Comment 5 Ján Tomko 2016-09-12 16:15:16 UTC
I am getting an AVC denial:
selinux-policy-3.13.1-97.el7.noarch

type=AVC msg=audit(1473346336.479:57889): avc:  denied  { append } for  pid=12539 comm="virtlogd" name="vm-serial.log" dev="sda7" ino=262152 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(1473346336.479:57889): arch=c000003e syscall=2 success=no exit=-13 a0=7fe898000b10 a1=80441 a2=180 a3=7fe898000b30 items=0 ppid=1 pid=12539 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)


Per bug 1311606 virtlogd is contained and should not be able to access everything.
And the domain starts for me if I use /var/log/libvirt as the path to the log file, or manually adjust the context of the /test directory to virt_log_t. 
(Disabling virtlogd in qemu.conf:
stdio_handler = "file"
also allows me to start the domain)

I don't think libvirt should be changing the context of random directories in the filesystem, we don't do that for disks either.

Comment 9 Shanmugavel Balu 2016-11-08 19:46:09 UTC
Hello, i have set "stdio_handler = "file" in qemu.conf and now i am able to start the domain. but it will lead to security issue right, so what is the correct fix for this issue.

Workaround used:
# The backend to use for handling stdout/stderr output from
# QEMU processes.
#
#  'file': QEMU writes directly to a plain file. This is the
#          historical default, but allows QEMU to inflict a
#          denial of service attack on the host by exhausting
#          filesystem space
#
#  'logd': QEMU writes to a pipe provided by virtlogd daemon.
#          This is the current default, providing protection
#          against denial of service by performing log file
#          rollover when a size limit is hit.
#
stdio_handler = "file"

Actual issue:
2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00]     if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self)
2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] libvirtError: Unable to open file: /var/lib/nova/instances/9730e067-3c4f-4241-9bae-693d95f53e00/console.log: Permission denied
2016-11-07 18:06:34.810 19880 ERROR nova.compute.manager [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] 
2016-11-07 18:06:34.811 19880 INFO nova.compute.manager [req-17b73d5b-a406-439e-8e4d-9a40c04a1f9a 2ec0f13b4e494d49b2901281fc640d71 c900d0d4a8d24a8ab29fdb06b5f81d99 - - -] [instance: 9730e067-3c4f-4241-9bae-693d95f53e00] Terminating instance

Looking for the right fix.

Comment 10 Jiri Denemark 2016-11-18 16:08:18 UTC
*** Bug 1396518 has been marked as a duplicate of this bug. ***

Comment 13 Jaroslav Suchanek 2017-09-01 14:14:33 UTC
*** Bug 1483466 has been marked as a duplicate of this bug. ***

Comment 14 Jaroslav Suchanek 2017-10-23 13:37:28 UTC
*** Bug 1502879 has been marked as a duplicate of this bug. ***

Comment 15 Jaroslav Suchanek 2017-10-23 13:48:57 UTC
*** Bug 1499800 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.