[libvirt] Availability of libvirt-3.0.0 release candidate 2

Marc Hartmayer mhartmay at linux.vnet.ibm.com
Tue Jan 17 16:04:30 UTC 2017 

On Tue, Jan 17, 2017 at 04:41 PM +0100, Michal Privoznik <mprivozn at redhat.com> wrote:
> On 01/17/2017 04:28 PM, Marc Hartmayer wrote:
>> On Tue, Jan 17, 2017 at 03:28 PM +0100, Michal Privoznik <mprivozn at redhat.com> wrote:
>>> [Dropping libvirt-announce]
>>>
>>> On 01/17/2017 02:51 PM, Boris Fiuczynski wrote:
>>>> On 01/17/2017 02:21 PM, Michal Privoznik wrote:
>>>>>>>       <target bus="scsi" dev="sda" />
>>>>>>> </disk>
>>>>>>> </xml_snippet>
>>>>>>>
>>>>>>> With v2.5.0 everything has worked. I'll take a closer look to it today.
>>>>> You can try and see if this is a namespace caused issue. Just disable
>>>>> the namespaces and retry. If it succeeds with namespaces disabled, the
>>>>> bug indeed is in my namespaces patches.
>>>>>
>>>>> btw: to disable namespaces set: namespaces=[] in /etc/libvirt/qemu.conf
>>>>>
>>>>> Michal
>>>>
>>>> With disabled namespaces the problem does NOT occur.
>>>>
>>>>
>>>
>>> Okay, can you share the debug logs then please? Both daemon and domain logs.
>>>
>>> Michal
>>
>> Yes - I'll send you also the important part of audit.log (with SELINUX
>> permissive).
>>
>> Evaluation with some combinations (0 = no, 1 = yes):
>>
>> | namespace enabled | SELinux enabled | works |
>> |-------------------|-----------------|-------|
>> |                 0 |               0 |     1 |
>> |                 0 |               1 |     1 |
>> |                 1 |               0 |     1 |
>> |                 1 |               1 |     0 |
>
> Yeah, I've just managed to reproduce this issue in my environment. And
> something interesting is happening here:
>
> # grep avc /var/log/audit/audit.log
> type=AVC msg=audit(1484667144.960:323): avc:  denied  { open } for
> pid=32367 comm="qemu-kvm" path="/tmp/disk1.qcow2" dev="vda2"
> ino=17080167 scontext=system_u:system_r:svirt_tcg_t:s0:c551,c756
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>
>
> (I've simplified the disk path in my testing compared to your XML).
>
> Although, if I disable namespaces I'm still unable to attach the disk. I
> mean the SELinux is still denying the operation.
>
> Michal

Hmm, I've just double checked it... and it works if I'm disabling only
namespaces in qemu.conf (and restart libvirtd).


--
Beste Grüße / Kind regards
   Marc Hartmayer

IBM Deutschland Research & Development GmbH
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294

More information about the libvir-list mailing list