Bug 494017 - restorecon breaks running VMs
restorecon breaks running VMs
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-03 13:50 EDT by Bill Nottingham
Modified: 2014-03-16 23:18 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-06 09:42:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Nottingham 2009-04-03 13:50:47 EDT
Description of problem:

I start a VM; it uses s-virt.

[root@nostromo ~]# ls -Z /var/lib/libvirt/images/
...
-rwxrwxr-x. root root system_u:object_r:svirt_image_t:s0:c715,c717 splat-rhel5.img
...

restorecon runs:
[root@nostromo ~]# restorecon -Rv /var/lib/libvirt/images/
restorecon reset /var/lib/libvirt/images/splat-rhel5.img context system_u:object_r:svirt_image_t:s0:c715,c717->system_u:object_r:virt_image_t:s0

The running VM is now *very* unhappy. (And I get AVCs like crazy; it doesn't
appear as if qemu/kvm is catching the -EPERM very well, and it's just retrying
over and over.

Version-Release number of selected component (if applicable):

virt-manager-0.7.0-2.fc11.x86_64
selinux-policy-targeted-3.6.10-5.fc11.noarch
qemu-system-x86-0.10-4.fc11.x86_64

How reproducible:

100%
Comment 1 Daniel Walsh 2009-04-06 09:42:29 EDT
Fixed in selinux-policy-3.6.10-9.fc11.noarch

Added svirt_image_t and virt_content_t to /etc/selinux/targeted/context/customizable_types which tells restorecon to not change the context if it does not match the defaults.  (You can use -F to override this but an automatic relabel via update will not set this flag.)

Note You need to log in before you can comment on or make changes to this bug.