Bug 494017 - restorecon breaks running VMs
Summary: restorecon breaks running VMs
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-03 17:50 UTC by Bill Nottingham
Modified: 2014-03-17 03:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-06 13:42:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Bill Nottingham 2009-04-03 17:50:47 UTC 
Description of problem:

I start a VM; it uses s-virt.

[root@nostromo ~]# ls -Z /var/lib/libvirt/images/
...
-rwxrwxr-x. root root system_u:object_r:svirt_image_t:s0:c715,c717 splat-rhel5.img
...

restorecon runs:
[root@nostromo ~]# restorecon -Rv /var/lib/libvirt/images/
restorecon reset /var/lib/libvirt/images/splat-rhel5.img context system_u:object_r:svirt_image_t:s0:c715,c717->system_u:object_r:virt_image_t:s0

The running VM is now *very* unhappy. (And I get AVCs like crazy; it doesn't
appear as if qemu/kvm is catching the -EPERM very well, and it's just retrying
over and over.

Version-Release number of selected component (if applicable):

virt-manager-0.7.0-2.fc11.x86_64
selinux-policy-targeted-3.6.10-5.fc11.noarch
qemu-system-x86-0.10-4.fc11.x86_64

How reproducible:

100%
Comment 1 Daniel Walsh 2009-04-06 13:42:29 UTC 
Fixed in selinux-policy-3.6.10-9.fc11.noarch

Added svirt_image_t and virt_content_t to /etc/selinux/targeted/context/customizable_types which tells restorecon to not change the context if it does not match the defaults.  (You can use -F to override this but an automatic relabel via update will not set this flag.)
Note You need to log in before you can comment on or make changes to this bug.