[libvirt] Availability of libvirt-3.0.0 release candidate 2

Daniel P. Berrange berrange at redhat.com
Tue Jan 17 16:08:12 UTC 2017 

On Tue, Jan 17, 2017 at 04:41:57PM +0100, Michal Privoznik wrote:
> On 01/17/2017 04:28 PM, Marc Hartmayer wrote:
> > On Tue, Jan 17, 2017 at 03:28 PM +0100, Michal Privoznik <mprivozn at redhat.com> wrote:
> >> [Dropping libvirt-announce]
> >>
> >> On 01/17/2017 02:51 PM, Boris Fiuczynski wrote:
> >>> On 01/17/2017 02:21 PM, Michal Privoznik wrote:
> >>>>>>       <target bus="scsi" dev="sda" />
> >>>>>> </disk>
> >>>>>> </xml_snippet>
> >>>>>>
> >>>>>> With v2.5.0 everything has worked. I'll take a closer look to it today.
> >>>> You can try and see if this is a namespace caused issue. Just disable
> >>>> the namespaces and retry. If it succeeds with namespaces disabled, the
> >>>> bug indeed is in my namespaces patches.
> >>>>
> >>>> btw: to disable namespaces set: namespaces=[] in /etc/libvirt/qemu.conf
> >>>>
> >>>> Michal
> >>>
> >>> With disabled namespaces the problem does NOT occur.
> >>>
> >>>
> >>
> >> Okay, can you share the debug logs then please? Both daemon and domain logs.
> >>
> >> Michal
> > 
> > Yes - I'll send you also the important part of audit.log (with SELINUX
> > permissive).
> > 
> > Evaluation with some combinations (0 = no, 1 = yes):
> > 
> > | namespace enabled | SELinux enabled | works |
> > |-------------------|-----------------|-------|
> > |                 0 |               0 |     1 |
> > |                 0 |               1 |     1 |
> > |                 1 |               0 |     1 |
> > |                 1 |               1 |     0 |
> 
> Yeah, I've just managed to reproduce this issue in my environment. And
> something interesting is happening here:
> 
> # grep avc /var/log/audit/audit.log
> type=AVC msg=audit(1484667144.960:323): avc:  denied  { open } for
> pid=32367 comm="qemu-kvm" path="/tmp/disk1.qcow2" dev="vda2"
> ino=17080167 scontext=system_u:system_r:svirt_tcg_t:s0:c551,c756
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> 
> 
> (I've simplified the disk path in my testing compared to your XML).
> 
> Although, if I disable namespaces I'm still unable to attach the disk. I
> mean the SELinux is still denying the operation.

I see the same behaviour Marc is reporting. If namespaces are enabled,
hotplug fails, if disabled, it works.

When namespace are disabled I see 2 lines from the sec driver in the logs:

2017-01-17 16:05:50.539+0000: 21387: info : virSecuritySELinuxSetFileconHelper:1155 : Setting SELinux context on '/tmp/virtd-test_e3hnhh5/disk1.qcow2' to 'system_u:object_r:svirt_image_t:s0:c203,c529'
2017-01-17 16:05:50.540+0000: 21387: info : virSecurityDACSetOwnershipInternal:555 : Setting DAC user and group on '/tmp/virtd-test_e3hnhh5/disk1.qcow2' to '107:107'


with namespaces enabled, those lines never appear and we get the permission
problem.

BTW, your test put the file directlry in /tmp - I'd suggest using a subdir
like Marc has, since /tmp has some "special" behaviour with SELinux.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the libvir-list mailing list