Bug 600279 - live migration with selinux and libvirt throws an error
live migration with selinux and libvirt throws an error
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
high Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On: 582030
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-04 06:43 EDT by Jianjiao Sun
Modified: 2012-10-15 10:06 EDT (History)
13 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-24.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 582030
Environment:
Last Closed: 2010-11-10 16:34:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jianjiao Sun 2010-06-04 06:43:42 EDT
+++ This bug was initially created as a clone of Bug #582030 +++

Description of problem:
I'm testing out live migration of KVM guests as per the rhel6 Test Day.  I have two identical Intel x86_64 machines, both running the Fedora Test Day image.  When trying to live migrate an rhel5.5 i386 guest between them with SELinux in enforcing mode, I'm getting:


# virsh migrate m2 qemu+ssh://10.66.65.144/system --live
error: unable to set user and group to '0:0' on '/var/lib/libvirt/migrate/RHEL-Server-5.5-32-virtio.qcow2.1': Permission denied


/var/log/audit/audit.log says:
type=AVC msg=audit(1275648230.530:144): avc:  denied  { read } for  pid=8295 comm="nfsd" name="RHEL-Server-5.5-32-virtio.qcow2.1" dev=sda3 ino=786440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c849,c987 tclass=file
type=AVC msg=audit(1275648230.530:145): avc:  denied  { read } for  pid=8295 comm="nfsd" name="RHEL-Server-5.5-32-virtio.qcow2.1" dev=sda3 ino=786440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c849,c987 tclass=file
type=AVC msg=audit(1275648230.533:146): avc:  denied  { setattr } for  pid=8295 comm="nfsd" name="RHEL-Server-5.5-32-virtio.qcow2.1" dev=sda3 ino=786440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c849,c987 tclass=file



If I set SELinux to permissive mode, then the live migration succeeds.

--- Additional comment from clalance@redhat.com on 2010-04-13 17:30:08 EDT ---

Oh, I should also mention that my disk image is shared from this machine via nfs with /etc/exports that looks like:

/var/lib/libvirt/images	*(rw,no_root_squash)

Also, the versions of my packages are:

kernel-2.6.33.1-19.fc13.x86_64
libvirt-0.7.7-1.fc13.x86_64
qemu-kvm-0.12.3-6.fc13.x86_64

--- Additional comment from clalance@redhat.com on 2010-04-13 17:53:22 EDT ---

I should also clarify my statement about setting SELinux to permissive mode.  If I set SELinux to permissive mode on the *source* of the migration, then I get a little bit further, but then I run into another issue:

[root@localhost ~]# virsh migrate --live f13x86_64 qemu+ssh://locutus.usersys.redhat.com/system
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/2
qemu: could not open disk image /var/lib/libvirt/images/f13x86_64.dsk: Permission denied

If I then set SELinux to permissive on the destination, things succeed.
Comment 2 RHEL Product and Program Management 2010-06-04 12:13:25 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 Daniel Berrange 2010-06-08 08:23:37 EDT
The original Fedora bug has been confirmed as needing an selinux policy addition. Re-assigning component for RHEL
Comment 4 Daniel Walsh 2010-06-08 08:40:41 EDT
Needs

mcs_file_read_all(kernel_t)
mcs_file_write_all(kernel_t)
Comment 5 Miroslav Grepl 2010-06-10 02:39:24 EDT
Fixed in selinux-policy-3.7.19-24.el6.noarch
Comment 9 releng-rhel@redhat.com 2010-11-10 16:34:30 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.