Bug 507555 - libvirt starting a guest with ISO on NFS mount fails when unnecessarily setting SELinux file context
libvirt starting a guest with ISO on NFS mount fails when unnecessarily setti...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F11VirtTarget
  Show dependency treegraph
 
Reported: 2009-06-23 06:11 EDT by Tim Waugh
Modified: 2009-07-27 17:27 EDT (History)
9 users (show)

See Also:
Fixed In Version: 0.6.2-13.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-27 17:27:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
libvirt-0.6.2-unnecessary-setfilecon.patch (935 bytes, patch)
2009-06-23 06:11 EDT, Tim Waugh
no flags Details | Diff
qemu log (2.47 KB, text/plain)
2009-07-03 09:01 EDT, Kamil Dudka
no flags Details

  None (edit)
Description Tim Waugh 2009-06-23 06:11:12 EDT
Created attachment 349074 [details]
libvirt-0.6.2-unnecessary-setfilecon.patch

Description of problem:
When installing a new image from an ISO image on an nfs mount, the operation fails and I get this error in /var/log/messages:

error : SELinuxSetFilecon: unable to set security context 'system_u:object_r:virt_content_t:s0' on /mnt/nfsmount/Fedora-11-x86_64-DVD/Fedora-11-x86_64-DVD.iso: Operation not supported.

However, the /mnt/nfsmount partition was mounted with this option:
context="system_u:object_r:virt_content_t:s0"

So it is failing to do something it doesn't need to do.

Here is a patch to spot this condition and prevent failure.

Version-Release number of selected component (if applicable):
libvirt-0.6.2-9.fc11

How reproducible:
100%

Steps to Reproduce:
1.Mount nfs directory as above.
2.Attempt to install new VM from ISO image.
  
Actual results:
Fails.

Expected results:
Succeeds.

Additional info:
Patch which works for me attached, which compares the existing SELinux file context to the one we want it to be if we failed to set it.
Comment 1 Daniel Veillard 2009-06-23 09:03:19 EDT
Makes sense to me, I forwarded the patch to the list for review,

 thanks !

Daniel
Comment 2 Mark McLoughlin 2009-07-03 05:48:53 EDT
Re-posted here:

  http://www.redhat.com/archives/libvir-list/2009-July/msg00049.html
Comment 3 Mark McLoughlin 2009-07-03 05:59:32 EDT
Added to rawhide:

* Fri Jul  3 2009 Mark McLoughlin <markmc@redhat.com> - 0.6.4-3.fc12
- Don't unnecessarily try to change a file context (bug #507555)

Will build for F-11 too
Comment 4 Mark McLoughlin 2009-07-03 06:09:55 EDT
F-11:

* Fri Jul  3 2009 Mark McLoughlin <markmc@redhat.com> - 0.6.2-13.fc11
- Don't unnecessarily try to change a file context (bug #507555)
Comment 5 Kamil Dudka 2009-07-03 09:01:39 EDT
Created attachment 350421 [details]
qemu log

libvirt-0.6.2-13.fc11.x86_64 does not solve the problem for me, log attached. I just updated the libvirt package and restarted libvirtd service. Originally reported here: https://bugzilla.redhat.com/show_bug.cgi?id=499933#c4
Comment 6 Kamil Dudka 2009-07-03 09:05:11 EDT
(In reply to comment #5)
# file /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
/mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso: ISO 9660 CD-ROM filesystem data 'RHEL/5.3 x86_64 DVD            ' (bootable)

# ls -Z /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
-rw-rw-r--. 444 444 system_u:object_r:nfs_t:s0       /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
Comment 7 Fedora Update System 2009-07-11 13:05:25 EDT
libvirt-0.6.2-13.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libvirt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7449
Comment 8 Kamil Dudka 2009-07-11 14:06:19 EDT
(In reply to comment #6)
> -rw-rw-r--. 444 444 system_u:object_r:nfs_t:s0      

It didn't work because it has to be mounted with -o context="system_u:object_r:virt_content_t:s0".

Then the update resolves the problem.
Comment 9 Fedora Update System 2009-07-27 17:27:46 EDT
libvirt-0.6.2-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.