Hide Forgot
Description of problem: Can not restore domain from root_squashing nfs export even if qemu gid matches nfs Version-Release number of selected component (if applicable): libvirt-0.8.7-7.el6.x86_64 qemu-kvm-0.12.1.2-2.145.el6.x86_64 qemu-img-0.12.1.2-2.145.el6.x86_64 kernel-2.6.32-113.el6.x86_64 How reproducible: 5/5 Steps to Reproduce: On nfs server: 1. Create a shared directory # mkdir /tmp/test 2. Set ownership to vdsm:qemu # chown 501:107 /tmp/test/ # chmod 775 /tmp/test/ 3. check exports file: # cat /etc/exports /tmp/test *(rw,root_squash,async) On RHEL6.1 client: 1. setsebool -P virt_use_nfs 1 2. Start a domain with "qemu" user. 3. Mount the nfs shared directory. # mount -o vers=3 10.66.93.159:/tmp/test /mnt/ddd # ll -d /mnt/ddd drwxrwxr-x. 2 vsdm qemu 4096 Feb 18 09:18 /mnt/ddd 4. Save the domain to /mnt/ddd/saved # virsh save rhel6 /mnt/ddd/saved Domain rhel6 saved to /mnt/ddd/saved 5. Restore the domain # virsh restore /mnt/ddd/saved error: Failed to restore domain from /mnt/ddd/saved error: cannot close file: Bad file descriptor Actual results: Can not restore domain from root_squashing nfs export even if qemu gid matches nfs. Expected results: Restore should be successful. Additional info: NOTE:If run command "setenforce 0" in client host ,restore will be successful. 1.# setenforce 0 2.# virsh restore /mnt/ddd/saved Domain restored from /mnt/ddd/saved
Please post the version of selinux-policy on the machine, as well as the AVCs that are issued (leave setenforce 0 so we can see the entire list). I'm still suspicious that this is the same as Bug 667756, which was fixed by both a libvirt change and an selinux-policy change.
[root@dhcp-93-206 ~]# ausearch -m avc ---- time->Tue Feb 22 05:53:49 2011 type=SYSCALL msg=audit(1298372029.770:46679): arch=c000003e syscall=190 success=no exit=-13 a0=19 a1=7f15a3108d59 a2=7f157c000920 a3=2d items=0 ppid=1 pid=16996 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1298372029.770:46679): avc: denied { relabelfrom } for pid=16996 comm="libvirtd" name="" dev=pipefs ino=517095 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file ---- time->Tue Feb 22 05:55:40 2011 type=SYSCALL msg=audit(1298372140.450:46695): arch=c000003e syscall=190 success=yes exit=0 a0=19 a1=7f15a3108d59 a2=7f1584013e10 a3=2d items=0 ppid=1 pid=16995 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1298372140.450:46695): avc: denied { relabelfrom } for pid=16995 comm="libvirtd" name="" dev=pipefs ino=530904 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fifo_file
Selinux version: 1. [root@dhcp-93-206 images]# rpm -qa|grep selinux libselinux-2.0.94-2.el6.x86_64 libselinux-utils-2.0.94-2.el6.x86_64 selinux-policy-3.7.19-67.el6.noarch libselinux-python-2.0.94-2.el6.x86_64 selinux-policy-targeted-3.7.19-67.el6.noarch
Your selinux-policy doesn't contains the change mentioned by @laine in #c2, (Note that the change was included since selinux-policy-3.7.19-68). So please update selinux-policy and try again.
Follow comment 4 , the restore issue was not exists.So i will closed it as "not a bug".