700320 – Failed to pci hotplug/passthrough to guest with selinux enabled

Bug 700320 - Failed to pci hotplug/passthrough to guest with selinux enabled

Summary: Failed to pci hotplug/passthrough to guest with selinux enabled

Keywords:
Status:	CLOSED DUPLICATE of bug 644276
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	5.7
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Libvirt Maintainers
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-28 06:31 UTC by zhanghaiyan
Modified:	2011-05-30 10:06 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-30 10:06:47 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/var/log/message for pci hotplug (4.50 KB, text/plain) 2011-04-28 06:33 UTC, zhanghaiyan	no flags	Details
/var/log/message for pci passthrough (4.46 KB, text/plain) 2011-04-28 06:34 UTC, zhanghaiyan	no flags	Details
View All

Description zhanghaiyan 2011-04-28 06:31:52 UTC

Description of problem:
Failed to pci hotplug/passthrough to guest in selinux enabled

Version-Release number of selected component (if applicable):
- 2.6.18-256.el5
- kvm-83-230.el5
- libvirt-0.8.2-18.el5

How reproducible:
always

Steps to Reproduce:
1. Enable vt-d on the host
2. # getenforce 
Enforcing
3. # virsh nodedev-list --tree
computer
 |
  +- pci_8086_10de
  |   |
  |   +- net_00_25_64_a7_1f_4d
  |     
  +- pci_8086_244e
  +- pci_8086_2822
  |   |
........
4. # virsh nodedev-dumpxml pci_8086_10de
<device>
  <name>pci_8086_10de</name>
  <parent>computer</parent>
  <driver>
    <name>e1000e</name>
  </driver>
  <capability type='pci'>
    <domain>0</domain>
    <bus>0</bus>
    <slot>25</slot>
    <function>0</function>
    <product id='0x10de'>82567LM-3 Gigabit Network Connection</product>
    <vendor id='0x8086'>Intel Corporation</vendor>
  </capability>
</device>
5. # cat nodedev.xml 
<hostdev mode='subsystem' type='pci' managed='yes'>
 <source>
  <address bus='0' slot='0x19' function='0'/>
 </source>
</hostdev>
6. Start a guest
# virsh start rhel61
Domain rhel61 started
7. # virsh attach-device rhel61 nodedev.xml 
error: Failed to attach device from nodedev.xml
error: operation failed: parsing pci_add reply failed: Failed to assign device
failed to add host=00:19.0
8. OR change to do pci passthrough, firstly shutdown the guest, then add nodedev.xml info into guest config file and try to start the guest

  
Actual results:
7. Failed to hotplug pci device to guest
8. Failed to boot up the guest when passthrough the pci device to guest

Expected results:
7. pass
8. pass

Additional info:
If change selinux to permissive, both the operation could be pass.

Comment 1 zhanghaiyan 2011-04-28 06:33:30 UTC

Created attachment 495415 [details]
/var/log/message for pci hotplug

Comment 2 zhanghaiyan 2011-04-28 06:34:21 UTC

Created attachment 495416 [details]
/var/log/message for pci passthrough

Comment 3 zhanghaiyan 2011-04-28 09:47:23 UTC

I searched the closed bug 644276 which is talking the same issue. But the technical note is not quite clear for me to understand. 
Does the selinux-policy package changes "virt_use_sysfs" boolean to on automatically or need users set the boolean to on manually ? Which is expected ?
In my actual test, I have to manually set the boolean to on.

Comment 4 Cui Chun 2011-05-19 08:19:30 UTC

Miroslav,

Could you please take a look comment3 and give a feedback?

Thanks.

Comment 5 Miroslav Grepl 2011-05-19 11:15:39 UTC

The "virt_use_sysfs" boolean was updated but you still set the boolean to on manually.

Comment 6 zhanghaiyan 2011-05-30 10:06:47 UTC


*** This bug has been marked as a duplicate of bug 644276 ***

Note You need to log in before you can comment on or make changes to this bug.