[libvirt] possible 0.9.8 regression?

[Jim Fehlig]

Daniel P. Berrange wrote:
> On Tue, Dec 20, 2011 at 08:59:48AM -0700, Jim Fehlig wrote:
>   
>> xhu wrote:
>>     
>>> On 12/16/2011 11:33 AM, Jim Fehlig wrote:
>>>       
>>>> Hi All,
>>>>
>>>> I've noticed a regression in libvirt 0.9.8 on some of my kvm test machines
>>>>
>>>> # virsh start opensuse12
>>>> error: Failed to start domain opensuse12
>>>> error: Cannot open network interface control socket: Permission denied 
>>>>         
>>> For I can't reproduce it on my machine with 0.9.8, can you provide me
>>> the detailed steps?
>>>       
>> Nothing special, basic domain config using file-backed disk and
>> connecting to a bridge.
>>
>>     
>>> Also your os, libvirt, qemu-kvm and kernel version?
>>>       
>> Yeah, it has something to do with the kernel, glibc, or other such
>> component.  qemu-kvm isn't the problem as the error occurs before it is
>> invoked.
>>
>> kernel 3.1.0, glibc  2.14.1 (openSUSE12.1):
>> With libvirt 0.9.7, starting the domain works.  This version of libvirt
>> opens control socket with 'socket(AF_INET, SOCK_STREAM, 0)'.  With
>> libvirt 0.9.8, the domain does not start.  In this version, the control
>> socket is opened with 'socket(AF_PACKET, SOCK_DGRAM, 0)', which fails
>> with EACCES.
>>
>> kernel 3.0.13, glibc 2.11.3 (SLES11 SP2):
>> Regression between libvirt 0.9.7 and 0.9.8 not observed.
>>
>> Initially, I assumed the bug was in glibc.  But I can open packet(7)
>> sockets in a test program running as uid=euid=0, just not within
>> libvirtd running with same privileges.
>>     
>
> Interesting, this is very bizarre. I assume that if you patch
> libvirt 0.9.8 to use  AF_INET again, it'll work fine ?
>   

Yes, it is bizarre and yes, using AF_INET works.

> Is there any other access control mechanism in force like SELinux
> or AppArmour ?
>   

No, which is why I'm rather confused...

Thanks,
Jim