Created attachment 755302 [details]
libvirtd.conf.patch

Created attachment 755303 [details]
sysconfig.libvirtd.patch

There is at least one more thing that I had to do to make live block migration working: semanage permissive -a sshd_t To enable nova to ssh. But this brings a quite large security risk.

Without the change Jaroslav mentioned in comment 4, we got the following denials, which need to be fixed in the policy:

[root@xxxx ~]# aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search system_u:object_r:nova_var_lib_t:s0 denied 534511
2. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search unconfined_u:object_r:nova_var_lib_t:s0 denied 534511
3. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 file read unconfined_u:object_r:nova_var_lib_t:s0 denied 534511
4. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 file open unconfined_u:object_r:nova_var_lib_t:s0 denied 534511
5. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 5 file getattr unconfined_u:object_r:nova_var_lib_t:s0 denied 534512
6. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 6 dir getattr system_u:object_r:nova_var_lib_t:s0 denied 534513
7. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 6 dir getattr unconfined_u:object_r:nova_var_lib_t:s0 denied 534514
8. 09/27/2013 16:10:52 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search system_u:object_r:nova_var_lib_t:s0 denied 538184
9. 09/27/2013 16:10:52 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search system_u:object_r:nova_var_lib_t:s0 denied 538185

One more addition:

packstack sets up nova for vnc listening on the machine's default IP, instead of listening on all interfaces (see bug 912744).

Set this in /etc/nova/nova.conf on all compute instances to make it work:
vncserver_listen=0.0.0.0

Re. Nova live migration doing SSH - it should be removed, see thread:
 http://lists.openstack.org/pipermail/openstack-dev/2013-September/015757.html

Alan, the email you link is about migration/resize operation which is a different operation in nova than live-migration, which this bug is about.

Nikola, and others: ignore Comment 5. I was not doing live migration. So indeed no SSH is needed for that. :)

@berrange: Is there any Nova impact here, or is it just a matter of configuring our puppet modules to configure libvirt correctly?  It's not clear to me what component this should go on or who should own it.

Probably just config work for packstack, though I've not tested this functionality in nova myself.

without openstack-selinux
rhel7:
#============= nagios_t ==============
allow nagios_t ping_exec_t:file { read execute open execute_no_trans };
allow nagios_t self:capability net_raw;
allow nagios_t self:process setcap;
allow nagios_t self:rawip_socket { getopt create setopt };

#============= neutron_t ==============
allow neutron_t tmp_t:dir create;

#============= nova_scheduler_t ==============

#!!!! This avc is allowed in the current policy
allow nova_scheduler_t passwd_file_t:file { read getattr open };

#============= rsync_t ==============

#!!!! This avc is allowed in the current policy
allow rsync_t var_lock_t:dir { write add_name };

#!!!! This avc can be allowed using the boolean 'rsync_full_access'
allow rsync_t var_lock_t:file { write create };

#============= swift_t ==============

#!!!! This avc is allowed in the current policy
allow swift_t tmpfs_t:dir { write remove_name add_name };
allow swift_t tmpfs_t:file { write getattr link read create unlink open };

#!!!! This avc is allowed in the current policy
allow swift_t tmpfs_t:filesystem getattr;

#!!!! This avc is allowed in the current policy
allow swift_t xserver_port_t:tcp_socket name_bind;

*** This bug has been marked as a duplicate of bug 1100356 ***