Bug 852668 - libvirt got security label parse error with xml
libvirt got security label parse error with xml
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.4
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Jiri Denemark
Virtualization Bugs
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-29 04:53 EDT by Wayne Sun
Modified: 2013-02-21 02:22 EST (History)
8 users (show)

See Also:
Fixed In Version: libvirt-0.10.1-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 02:22:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wayne Sun 2012-08-29 04:53:01 EDT
Description of problem:
restore domain from saved file fail 

Version-Release number of selected component (if applicable):
libvirt-0.10.0-1.el6.x86_64

How reproducible:
always 

Steps to Reproduce:
1.start a domain and check
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 1     libvirt_test_api               running

# virsh dumpxml libvirt_test_api
...
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>107:107</label>
<imagelabel>107:107</imagelabel>
</seclabel>
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>unconfined_u:system_r:svirt_t:s0:c274,c290</label>
<imagelabel>unconfined_u:object_r:svirt_image_t:s0:c274,c290</imagelabel>
</seclabel>
...

# ll -Z /var/lib/libvirt/images/libvirt-test-api
-rw-r--r--. qemu qemu unconfined_u:object_r:svirt_image_t:s0:c274,c290 /var/lib/libvirt/images/libvirt-test-api

2. save domain to file
# virsh save libvirt_test_api /tmp/save.3

Domain libvirt_test_api saved to /tmp/save.3

3. restore domain from file

# virsh restore /tmp/save.3
error: Failed to restore domain from /tmp/save.3
error: XML error: missing security model when using multiple labels

Actual results:
restore file

Expected results:
restore success

Additional info:
After manage save, domain also fail to start with same error.

This works on libvirt-0.10.0-0rc1.el6.x86_64
Comment 1 Huang Wenlong 2012-08-29 04:58:33 EDT
can not create snapshot get the same error  
libvirt-0.10.0-1.el6.x86_64


# virsh snapshot-create-as rc0 s10-1 --disk-only 
error: XML error: missing security model when using multiple labels 

[root@intel-q9400-4-2 rpms]# virsh snapshot-create-as rc0 s10-1 
error: XML error: missing security model when using multiple labels
Comment 4 Jiri Denemark 2012-08-31 12:12:32 EDT
This is now fixed upstream by v0.10.0-32-g86e205a (in v0.10.1):

commit 86e205a24fbfaec75df7ffedbb6418d9ed9dbd1c
Author: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
Date:   Fri Aug 31 13:40:40 2012 +0200

    conf: Fix parsing of seclabels without model
    
    With this patch libvirt tries to assign a model to a single seclabel
    when model is missing. Libvirt will look up at host's capabilities and
    assign the first model to seclabel.
    
    This patch fixes:
    
    1. The problem with existing guests that have a seclabel defined in its XML.
    2. A XML parse error when a guest is restored.
Comment 6 Wayne Sun 2012-09-03 02:15:49 EDT
pks:
libvirt-0.10.1-1.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.297.el6_3.x86_64
kernel-2.6.32-279.el6.x86_64

steps:
1. start a guest
# virsh start libvirt_test_api
Domain libvirt_test_api started

2. check xml
# virsh dumpxml libvirt_test_api
...
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>unconfined_u:system_r:svirt_t:s0:c535,c601</label>
    <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c535,c601</imagelabel>
  </seclabel>
...

By default, only one selinux seclabel now.

3. save/restore domain
# virsh save libvirt_test_api /tmp/save.6

Domain libvirt_test_api saved to /tmp/save.6

# virsh restore /tmp/save.6
Domain restored from /tmp/save.6

# virsh list --all
 Id    Name                           State
----------------------------------------------------
 5     libvirt_test_api               running

4. create sanpshot
# virsh snapshot-create-as libvirt_test_api snap-01 --disk-only
Domain snapshot snap-01 created

5. add dac static label
# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>107:107</label>
    <imagelabel>107:107</imagelabel>
  </seclabel>
...

the domain can be started, save/restore and snapshot also works fine. 
So, this is fixed.
Comment 7 errata-xmlrpc 2013-02-21 02:22:30 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.