Bug 853043 - guest can't start with unable to set security context error if guests are unconfined
guest can't start with unable to set security context error if guests are unc...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.4
x86_64 Linux
high Severity medium
: rc
: ---
Assigned To: Peter Krempa
Virtualization Bugs
: Regression
Depends On: 823857
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-30 07:05 EDT by Wayne Sun
Modified: 2013-02-21 02:22 EST (History)
9 users (show)

See Also:
Fixed In Version: libvirt-0.10.1-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 823857
Environment:
Last Closed: 2013-02-21 02:22:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 3 Peter Krempa 2012-08-30 11:01:41 EDT
Fixed upstream with:

commit 1497e36db97e257bbdb037066994aac5ca3e75f6
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Thu Aug 30 16:05:53 2012 +0200

    security: Re-apply commit ce53382ba28179d3a504b29b4f888b6e130d53f0
    
    Recent changes in the security driver discarded changes that fixed
    labeling un-confined guests.

Moving to POST.
Comment 5 zhenfeng wang 2012-09-03 03:07:12 EDT
pkgs
# rpm -qa|grep libvirt
libvirt-0.10.1-1.el6.x86_64

steps

1. Make sure selinux is Enforcing
# getenforce
Enforcing

2. Before set security_default_confined, prepare a guest, and start it, then check the guest's seclabel

# virsh dumpxml tesredhat |grep seclabel -A 3
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>unconfined_u:system_r:svirt_t:s0:c317,c596</label>
    <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c317,c596</imagelabel>
  </seclabel>
</domain>


3. Set security_default_confined=0 in qemu.conf and restart libvirtd

4. Recheck the guest's seclabel
# virsh dumpxml tesredhat |grep seclabel -A 3
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>unconfined_u:system_r:svirt_t:s0:c317,c596</label>
    <imagelabel>unconfined_u:object_r:svirt_image_t:s0:c317,c596</imagelabel>
  </seclabel>
</domain>

5. Destroy the guest, and restart it
# virsh start tesredhat
Domain tesredhat started

# virsh dumpxml tesredhat |grep seclabel -A 3
  <seclabel type='none' model='selinux'/>
</domain>

6. # ll -Z /var/lib/libvirt/images/tesredhat.img 
-rw-r-xr-x. qemu qemu system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images/tesredhat.img

7.# virsh dumpxml tesredhat --inactive |grep seclabel -A 3

BTW 
I can reproduce this bug in the pkg libvirt-0.10.0-1.el6.x86_64

AS in step 5&6 ,guest can start normally
So, this is fixed.
Comment 6 errata-xmlrpc 2013-02-21 02:22:46 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.