852668 – libvirt got security label parse error with xml

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 852668 - libvirt got security label parse error with xml

Summary: libvirt got security label parse error with xml

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jiri Denemark
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-29 08:53 UTC by Wayne Sun
Modified:	2013-02-21 07:22 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libvirt-0.10.1-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 07:22:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0276	0	normal	SHIPPED_LIVE	Moderate: libvirt security, bug fix, and enhancement update	2013-02-20 21:18:26 UTC

Description Wayne Sun 2012-08-29 08:53:01 UTC

Description of problem:
restore domain from saved file fail 

Version-Release number of selected component (if applicable):
libvirt-0.10.0-1.el6.x86_64

How reproducible:
always 

Steps to Reproduce:
1.start a domain and check
# virsh list --all
 Id    Name                           State
----------------------------------------------------
 1     libvirt_test_api               running

# virsh dumpxml libvirt_test_api
...
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>107:107</label>
<imagelabel>107:107</imagelabel>
</seclabel>
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>unconfined_u:system_r:svirt_t:s0:c274,c290</label>
<imagelabel>unconfined_u:object_r:svirt_image_t:s0:c274,c290</imagelabel>
</seclabel>
...

# ll -Z /var/lib/libvirt/images/libvirt-test-api
-rw-r--r--. qemu qemu unconfined_u:object_r:svirt_image_t:s0:c274,c290 /var/lib/libvirt/images/libvirt-test-api

2. save domain to file
# virsh save libvirt_test_api /tmp/save.3

Domain libvirt_test_api saved to /tmp/save.3

3. restore domain from file

# virsh restore /tmp/save.3
error: Failed to restore domain from /tmp/save.3
error: XML error: missing security model when using multiple labels

Actual results:
restore file

Expected results:
restore success

Additional info:
After manage save, domain also fail to start with same error.

This works on libvirt-0.10.0-0rc1.el6.x86_64

Comment 1 Huang Wenlong 2012-08-29 08:58:33 UTC

can not create snapshot get the same error  
libvirt-0.10.0-1.el6.x86_64


# virsh snapshot-create-as rc0 s10-1 --disk-only 
error: XML error: missing security model when using multiple labels 

[root@intel-q9400-4-2 rpms]# virsh snapshot-create-as rc0 s10-1 
error: XML error: missing security model when using multiple labels

Comment 4 Jiri Denemark 2012-08-31 16:12:32 UTC

This is now fixed upstream by v0.10.0-32-g86e205a (in v0.10.1):

commit 86e205a24fbfaec75df7ffedbb6418d9ed9dbd1c
Author: Marcelo Cerri <mhcerri.ibm.com>
Date:   Fri Aug 31 13:40:40 2012 +0200

    conf: Fix parsing of seclabels without model
    
    With this patch libvirt tries to assign a model to a single seclabel
    when model is missing. Libvirt will look up at host's capabilities and
    assign the first model to seclabel.
    
    This patch fixes:
    
    1. The problem with existing guests that have a seclabel defined in its XML.
    2. A XML parse error when a guest is restored.

Comment 6 Wayne Sun 2012-09-03 06:15:49 UTC

pks:
libvirt-0.10.1-1.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.297.el6_3.x86_64
kernel-2.6.32-279.el6.x86_64

steps:
1. start a guest
# virsh start libvirt_test_api
Domain libvirt_test_api started

2. check xml
# virsh dumpxml libvirt_test_api
...
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>unconfined_u:system_r:svirt_t:s0:c535,c601</label>
    <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c535,c601</imagelabel>
  </seclabel>
...

By default, only one selinux seclabel now.

3. save/restore domain
# virsh save libvirt_test_api /tmp/save.6

Domain libvirt_test_api saved to /tmp/save.6

# virsh restore /tmp/save.6
Domain restored from /tmp/save.6

# virsh list --all
 Id    Name                           State
----------------------------------------------------
 5     libvirt_test_api               running

4. create sanpshot
# virsh snapshot-create-as libvirt_test_api snap-01 --disk-only
Domain snapshot snap-01 created

5. add dac static label
# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>107:107</label>
    <imagelabel>107:107</imagelabel>
  </seclabel>
...

the domain can be started, save/restore and snapshot also works fine. 
So, this is fixed.

Comment 7 errata-xmlrpc 2013-02-21 07:22:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.