Red Hat Bugzilla – Bug 852668
libvirt got security label parse error with xml
Last modified: 2013-02-21 02:22:30 EST
Description of problem: restore domain from saved file fail Version-Release number of selected component (if applicable): libvirt-0.10.0-1.el6.x86_64 How reproducible: always Steps to Reproduce: 1.start a domain and check # virsh list --all Id Name State ---------------------------------------------------- 1 libvirt_test_api running # virsh dumpxml libvirt_test_api ... <seclabel type='dynamic' model='dac' relabel='yes'> <label>107:107</label> <imagelabel>107:107</imagelabel> </seclabel> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>unconfined_u:system_r:svirt_t:s0:c274,c290</label> <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c274,c290</imagelabel> </seclabel> ... # ll -Z /var/lib/libvirt/images/libvirt-test-api -rw-r--r--. qemu qemu unconfined_u:object_r:svirt_image_t:s0:c274,c290 /var/lib/libvirt/images/libvirt-test-api 2. save domain to file # virsh save libvirt_test_api /tmp/save.3 Domain libvirt_test_api saved to /tmp/save.3 3. restore domain from file # virsh restore /tmp/save.3 error: Failed to restore domain from /tmp/save.3 error: XML error: missing security model when using multiple labels Actual results: restore file Expected results: restore success Additional info: After manage save, domain also fail to start with same error. This works on libvirt-0.10.0-0rc1.el6.x86_64
can not create snapshot get the same error libvirt-0.10.0-1.el6.x86_64 # virsh snapshot-create-as rc0 s10-1 --disk-only error: XML error: missing security model when using multiple labels [root@intel-q9400-4-2 rpms]# virsh snapshot-create-as rc0 s10-1 error: XML error: missing security model when using multiple labels
This is now fixed upstream by v0.10.0-32-g86e205a (in v0.10.1): commit 86e205a24fbfaec75df7ffedbb6418d9ed9dbd1c Author: Marcelo Cerri <mhcerri@linux.vnet.ibm.com> Date: Fri Aug 31 13:40:40 2012 +0200 conf: Fix parsing of seclabels without model With this patch libvirt tries to assign a model to a single seclabel when model is missing. Libvirt will look up at host's capabilities and assign the first model to seclabel. This patch fixes: 1. The problem with existing guests that have a seclabel defined in its XML. 2. A XML parse error when a guest is restored.
pks: libvirt-0.10.1-1.el6.x86_64 qemu-kvm-rhev-0.12.1.2-2.297.el6_3.x86_64 kernel-2.6.32-279.el6.x86_64 steps: 1. start a guest # virsh start libvirt_test_api Domain libvirt_test_api started 2. check xml # virsh dumpxml libvirt_test_api ... <seclabel type='dynamic' model='selinux' relabel='yes'> <label>unconfined_u:system_r:svirt_t:s0:c535,c601</label> <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c535,c601</imagelabel> </seclabel> ... By default, only one selinux seclabel now. 3. save/restore domain # virsh save libvirt_test_api /tmp/save.6 Domain libvirt_test_api saved to /tmp/save.6 # virsh restore /tmp/save.6 Domain restored from /tmp/save.6 # virsh list --all Id Name State ---------------------------------------------------- 5 libvirt_test_api running 4. create sanpshot # virsh snapshot-create-as libvirt_test_api snap-01 --disk-only Domain snapshot snap-01 created 5. add dac static label # virsh edit libvirt_test_api ... <seclabel type='static' model='dac' relabel='yes'> <label>107:107</label> <imagelabel>107:107</imagelabel> </seclabel> ... the domain can be started, save/restore and snapshot also works fine. So, this is fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0276.html