Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1528628

Summary: seclabel element can not be successfully validated in character devices, but the setting can exposed in live xml
Product: Red Hat Enterprise Linux 7 Reporter: yalzhang <yalzhang>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED NOTABUG QA Contact: yalzhang <yalzhang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: fjin, phrdina, rbalakri, xuzhang, yafu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-02 12:34:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yalzhang@redhat.com 2017-12-22 13:03:31 UTC 
Description of problem:
seclabel element can not be successfully validated in character devices, but the setting can exposed in live xml, and it is a one-off setting

Version-Release number of selected component (if applicable):
libvirt-3.9.0-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.  add below device into guest xml by 
# virsh edit
...
  <console type='file'>
      <source path='/var/log/libvirt/test.log' append='on'>
         <seclabel model='dac' relabel='yes'/>
      </source>
      <target type='virtio' port='1'/>
    </console>

error: XML document failed to validate against schema: Unable to validate doc against /usr/share/libvirt/schemas/domain.rng
Extra element devices in interleave
Element domain failed to validate content

Failed. Try again? [y,n,i,f,?]:   ===> press "i"

Domain guest XML configuration edited.

2.  check the xml, it looks like seclabel setting is ignored
# virsh dumpxml guest
...
   <console type='file'>
      <source path='/var/log/libvirt/test.log' append='on'/>
      <target type='virtio' port='1'/>
    </console>
...

3. start the guest, the seclabel setting is back in the live xml as what we set, and the file is relabeld
# virsh start guest
Domain guest started

# virsh dumpxml guest
...
   <console type='file'>
      <source path='/var/log/libvirt/test.log' append='on'>
        <seclabel model='dac' relabel='yes'/>
      </source>
      <target type='virtio' port='1'/>
      <alias name='console1'/>
    </console>
...

# ll -Z /var/log/libvirt/test.log
-rw-------. qemu qemu system_u:object_r:virt_log_t:s0  /var/log/libvirt/test.log

4.  destroy the guest and start again, the seclabel setting is disappeared and back to default
# virsh destroy guest
Domain guest destroyed

# ll -Z /var/log/libvirt/test.log
-rw-------. root root system_u:object_r:virt_log_t:s0  /var/log/libvirt/test.log

# virsh start guest
Domain guest started

# ll -Z /var/log/libvirt/test.log
-rw-------. root root system_u:object_r:virt_log_t:s0  /var/log/libvirt/test.log


Actual results:
seclabel element can not be successfully validated in file type character devices, but the setting can exposed in live xml. 
And a destroy- start will clear the setting. 

Expected results:
the setting can validate successfully in inactive xml and be kept.

Additional info:
If not set seclabel setting, the default is as below:
set a guest with in the xml
 <console type='file'>
      <source path='/var/log/libvirt/test1.log' append='on'/>
      <target type='virtio' port='1'/>
    </console>

# ll /var/log/libvirt/test1.log
ls: cannot access /var/log/libvirt/test1.log: No such file or directory

# virsh start guest
Domain guest started

# ll -Z /var/log/libvirt/test1.log
-rw-------. root root system_u:object_r:virt_log_t:s0  /var/log/libvirt/test1.log
Comment 2 Pavel Hrdina 2018-01-02 12:34:30 UTC 
(In reply to yalzhang from comment #0)
> Description of problem:
> seclabel element can not be successfully validated in character devices, but
> the setting can exposed in live xml, and it is a one-off setting
> 
> Version-Release number of selected component (if applicable):
> libvirt-3.9.0-6.el7.x86_64
> 
> How reproducible:
> 100%
> 
> Steps to Reproduce:
> 1.  add below device into guest xml by 
> # virsh edit
> ...
>   <console type='file'>
>       <source path='/var/log/libvirt/test.log' append='on'>
>          <seclabel model='dac' relabel='yes'/>
>       </source>
>       <target type='virtio' port='1'/>
>     </console>

This XML is wrong.  You need to specify <label> as well.  Unfortunately this
is not properly documented.

> error: XML document failed to validate against schema: Unable to validate
> doc against /usr/share/libvirt/schemas/domain.rng
> Extra element devices in interleave
> Element domain failed to validate content
> 
> Failed. Try again? [y,n,i,f,?]:   ===> press "i"
> 
> Domain guest XML configuration edited.
> 
> 2.  check the xml, it looks like seclabel setting is ignored
> # virsh dumpxml guest

The reason why it is ignored is that it doesn't make sense to specify
<seclabel> with rebales='yes' without any <label>.

> ...
>    <console type='file'>
>       <source path='/var/log/libvirt/test.log' append='on'/>
>       <target type='virtio' port='1'/>
>     </console>
> ...
> 
> 3. start the guest, the seclabel setting is back in the live xml as what we
> set, and the file is relabeld
> # virsh start guest
> Domain guest started
> 
> # virsh dumpxml guest
> ...
>    <console type='file'>
>       <source path='/var/log/libvirt/test.log' append='on'>
>         <seclabel model='dac' relabel='yes'/>
>       </source>
>       <target type='virtio' port='1'/>
>       <alias name='console1'/>
>     </console>
> ...

This doesn't seem to be correct, if I start a guest with console device
the <seclabel> element is not formatted.

> 
> # ll -Z /var/log/libvirt/test.log
> -rw-------. qemu qemu system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test.log
> 
> 4.  destroy the guest and start again, the seclabel setting is disappeared
> and back to default
> # virsh destroy guest
> Domain guest destroyed
> 
> # ll -Z /var/log/libvirt/test.log
> -rw-------. root root system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test.log
> 
> # virsh start guest
> Domain guest started
> 
> # ll -Z /var/log/libvirt/test.log
> -rw-------. root root system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test.log
> 
> 
> Actual results:
> seclabel element can not be successfully validated in file type character
> devices, but the setting can exposed in live xml. 
> And a destroy- start will clear the setting. 
> 
> Expected results:
> the setting can validate successfully in inactive xml and be kept.
> 
> Additional info:
> If not set seclabel setting, the default is as below:
> set a guest with in the xml
>  <console type='file'>
>       <source path='/var/log/libvirt/test1.log' append='on'/>
>       <target type='virtio' port='1'/>
>     </console>
> 
> # ll /var/log/libvirt/test1.log
> ls: cannot access /var/log/libvirt/test1.log: No such file or directory
> 
> # virsh start guest
> Domain guest started
> 
> # ll -Z /var/log/libvirt/test1.log
> -rw-------. root root system_u:object_r:virt_log_t:s0 
> /var/log/libvirt/test1.log

The only thing that could be improved is documentation but otherwise there is no BUG so I'm closing it as NOTABUG.