Hide Forgot
Description of problem: set static security label not take effect for guest Version-Release number of selected component (if applicable): python-virtinst-0.500.5-3.el6.noarch How reproducible: always Steps to Reproduce: 1.# virt-install -n demo -r 512 -f /tmp/img/rhel6_x86_64_qcow2.img --import --security type=static,label='system_u:object_r:svirt_image_t:s0:c100,c200' 2.#virsh dumpxml demo Actual results: ........ <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c67,c414</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c67,c414</imagelabel> </seclabel> ........ Expected results: security type should be 'static', and the label is same with settings by user. Additional info:
Please provide the output of virt-install --debug (also please do so for any future virt-* bug reports)
Actually, I can reproduce, so no need for --debug output
Fixed upstream: http://git.fedorahosted.org/git?p=python-virtinst.git;a=commit;h=7d13024da60ad9f7b2123783a71ed061721c3793
Fixed in python-virtinst-0.600.0-1.el6
Could still reproduce this bug in the following componets: python-virtinst-0.600.0-1.el6. libvirt-0.9.4-0rc1.el6.x86_64 kernel-2.6.32-171.el6.x86_64 qemu-kvm-0.12.1.2-2.174.el6.x86_64 How reproducible: always Steps to Reproduce: # virt-install -n demo -r 512 -f /var/lib/libvirt/images/demo.img -s 5 -c /dev/cdrom --security type=static,label='system_u:object_r:svirt_image_t:s0:c100,c200' Starting install... ERROR internal error Process exited while reading console log output: libvir: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///system start demo otherwise, please restart your installation.
(In reply to comment #6) > Could still reproduce this bug in the following componets: > python-virtinst-0.600.0-1.el6. > libvirt-0.9.4-0rc1.el6.x86_64 > kernel-2.6.32-171.el6.x86_64 > qemu-kvm-0.12.1.2-2.174.el6.x86_64 > How reproducible: > always > > Steps to Reproduce: When i reproduced this bug use the above packages, I met the following problem, so whether this bug has been fixed or not is unknown for me(Sorry for comment 6 ). The following error message is a new problem about this bug. So set the bug status to ASSIGNED. > > # virt-install -n demo -r 512 -f /var/lib/libvirt/images/demo.img -s 5 -c > /dev/cdrom --security > type=static,label='system_u:object_r:svirt_image_t:s0:c100,c200' > > Starting install... > ERROR internal error Process exited while reading console log output: > libvir: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied > > Domain installation does not appear to have been successful. > If it was, you can restart your domain by running: > virsh --connect qemu:///system start demo > otherwise, please restart your installation.
The initial report said that even if the user specified --security type=static we would still generate XML with type=dynamic. You should be able to confirm that virt-install did the correct thing by specifying --debug and checking that the generated XML has <seclabel type='static' in it. That said, there might be other issues here, but those would be separate bugs.
verified with the following components: python-virtinst-0.600.0-2.el6.noarch libvirt-0.9.4-0rc1.2.el6.x86_64 qemu-kvm-0.12.1.2-2.175.el6.x86_64 kernel-2.6.32-171.el6.x86_64 Steps: 1.chcon system_u:object_r:svirt_image_t:s0:c100,c200 /var/lib/libvirt/images/test.img 2. virt-install -n test -r 512 -f /var/lib/libvirt/images/test.img --import --security type=static,label='system_u:system_r:svirt_t:s0:c100,c200' --debug ... <seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_t:s0:c100,c200</label> </seclabel> ... 3. virsh dumpxml test ... <seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_t:s0:c100,c200</label> </seclabel> ...
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Specifying a static selinux label via virt-install did not build a correct guest configuration. Consequence: The static selinux label did not take effect for the guest. Fix: Generate correct configuration Result: Static labels work
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1643.html