Bug 507555 - libvirt starting a guest with ISO on NFS mount fails when unnecessarily setting SELinux file context
Summary: libvirt starting a guest with ISO on NFS mount fails when unnecessarily setti...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Veillard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F11VirtTarget
TreeView+ depends on / blocked
 
Reported: 2009-06-23 10:11 UTC by Tim Waugh
Modified: 2009-07-27 21:27 UTC (History)
9 users (show)

Fixed In Version: 0.6.2-13.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-27 21:27:56 UTC


Attachments (Terms of Use)
libvirt-0.6.2-unnecessary-setfilecon.patch (935 bytes, patch)
2009-06-23 10:11 UTC, Tim Waugh
no flags Details | Diff
qemu log (2.47 KB, text/plain)
2009-07-03 13:01 UTC, Kamil Dudka
no flags Details

Description Tim Waugh 2009-06-23 10:11:12 UTC
Created attachment 349074 [details]
libvirt-0.6.2-unnecessary-setfilecon.patch

Description of problem:
When installing a new image from an ISO image on an nfs mount, the operation fails and I get this error in /var/log/messages:

error : SELinuxSetFilecon: unable to set security context 'system_u:object_r:virt_content_t:s0' on /mnt/nfsmount/Fedora-11-x86_64-DVD/Fedora-11-x86_64-DVD.iso: Operation not supported.

However, the /mnt/nfsmount partition was mounted with this option:
context="system_u:object_r:virt_content_t:s0"

So it is failing to do something it doesn't need to do.

Here is a patch to spot this condition and prevent failure.

Version-Release number of selected component (if applicable):
libvirt-0.6.2-9.fc11

How reproducible:
100%

Steps to Reproduce:
1.Mount nfs directory as above.
2.Attempt to install new VM from ISO image.
  
Actual results:
Fails.

Expected results:
Succeeds.

Additional info:
Patch which works for me attached, which compares the existing SELinux file context to the one we want it to be if we failed to set it.

Comment 1 Daniel Veillard 2009-06-23 13:03:19 UTC
Makes sense to me, I forwarded the patch to the list for review,

 thanks !

Daniel

Comment 2 Mark McLoughlin 2009-07-03 09:48:53 UTC
Re-posted here:

  http://www.redhat.com/archives/libvir-list/2009-July/msg00049.html

Comment 3 Mark McLoughlin 2009-07-03 09:59:32 UTC
Added to rawhide:

* Fri Jul  3 2009 Mark McLoughlin <markmc@redhat.com> - 0.6.4-3.fc12
- Don't unnecessarily try to change a file context (bug #507555)

Will build for F-11 too

Comment 4 Mark McLoughlin 2009-07-03 10:09:55 UTC
F-11:

* Fri Jul  3 2009 Mark McLoughlin <markmc@redhat.com> - 0.6.2-13.fc11
- Don't unnecessarily try to change a file context (bug #507555)

Comment 5 Kamil Dudka 2009-07-03 13:01:39 UTC
Created attachment 350421 [details]
qemu log

libvirt-0.6.2-13.fc11.x86_64 does not solve the problem for me, log attached. I just updated the libvirt package and restarted libvirtd service. Originally reported here: https://bugzilla.redhat.com/show_bug.cgi?id=499933#c4

Comment 6 Kamil Dudka 2009-07-03 13:05:11 UTC
(In reply to comment #5)
# file /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
/mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso: ISO 9660 CD-ROM filesystem data 'RHEL/5.3 x86_64 DVD            ' (bootable)

# ls -Z /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso
-rw-rw-r--. 444 444 system_u:object_r:nfs_t:s0       /mnt/globalsync/rhel/released/RHEL-5-Server/U3/x86_64/iso/RHEL5.3-Server-20090106.0-x86_64-DVD.iso

Comment 7 Fedora Update System 2009-07-11 17:05:25 UTC
libvirt-0.6.2-13.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libvirt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7449

Comment 8 Kamil Dudka 2009-07-11 18:06:19 UTC
(In reply to comment #6)
> -rw-rw-r--. 444 444 system_u:object_r:nfs_t:s0      

It didn't work because it has to be mounted with -o context="system_u:object_r:virt_content_t:s0".

Then the update resolves the problem.

Comment 9 Fedora Update System 2009-07-27 21:27:46 UTC
libvirt-0.6.2-13.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.