Description of problem: Since upgrading to Fedora 18 I've not been able to launch nova instances with current master of nova & devstack. The following error is logged: "Cannot parse sensitivity level in s0" Running virsh create on the attached sensitivity_level_fail.xml nova generated XML also reproduces the error. Version-Release number of selected component (if applicable): libvirt-0.10.2.2-3.fc18.x86_64 How reproducible: All the time when svirt is enabled Steps to Reproduce: 1. Run virsh create sensitivity_level_fail.xml Actual results: Immediately fails with error "Cannot parse sensitivity level in s0" Expected results: Additional info: Workaround is to set: security_driver = "none" in /etc/libvirt/qemu.conf
Created attachment 683900 [details] libvirt xml which demonstrates problem
Please provide ps -axuZ | grep libvirtd and ls -lZ /usr/sbin/libvirtd
# ps -axuZ | grep libvirtd system_u:system_r:kernel_t:s0 root 951 0.0 0.0 484324 1824 ? Ssl Jan21 0:00 /usr/sbin/libvirtd unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 root 18159 0.0 0.0 109180 884 pts/6 S+ 09:25 0:00 grep --color=auto libvirtd # ls -lZ /usr/sbin/libvirtd -rwxr-xr-x. root root system_u:object_r:virtd_exec_t:s0 /usr/sbin/libvirtd This is with svirt still disabled
Hmm, I can't reproduce. That error message comes from libvirtd, trying to parse it's own selinux context. It throws that error if it doesn't find a colon in the context string. Steve, is this with all up to date packages? Do other VMs work? Is selinux in enforcing, permissive, or disabled? Also, please provide ps -axuZ | grep libvirtd again, but this time with svirt enabled, and after restarting libvirtd.
See also BZ 896610
With security_driver = "selinux" in /etc/libvirt/qemu.conf ps -axuZ | grep libvirtd system_u:system_r:kernel_t:s0 root 9438 0.2 0.1 1078160 5856 ? Ssl 13:27 0:00 /usr/sbin/libvirtd unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 steveb 15084 0.0 0.0 109180 884 pts/1 S+ 13:33 0:00 grep --color=auto libvirtd
Steve, I think you can fix this locally by touch /.autorelabel reboot But we should find a way to not make this fail if running in permissive mode
This series makes libvirt more robust at handling unexpected security labels, which should address this problem https://www.redhat.com/archives/libvir-list/2013-March/msg00684.html
libvirt-0.10.2.4-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/libvirt-0.10.2.4-1.fc18
Package libvirt-0.10.2.4-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libvirt-0.10.2.4-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-4691/libvirt-0.10.2.4-1.fc18 then log in and leave karma (feedback).
libvirt-0.10.2.4-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.