Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1066285 - Fail to restore guest from the save file while set the static selinux lable for the guest and set the relabel='no' in the guest's xml
Summary: Fail to restore guest from the save file while set the static selinux lable f...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.5
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Martin Kletzander
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 1066280
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-18 08:17 UTC by zhenfeng wang
Modified: 2014-04-16 20:01 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1066280
Environment:
Last Closed: 2014-04-04 21:26:41 UTC


Attachments (Terms of Use)

Description zhenfeng wang 2014-02-18 08:17:43 UTC
+++ This bug was initially created as a clone of Bug #1066280 +++

Description of problem:
Fail to restore guest from the save file while the save file located in the root directory, also
have set the static selinux lable for the guest and set the relabel='no' in the guest's xml

Version-Release number of selected component (if applicable):
kernel-3.10.0-88.el7.x86_64
qemu-kvm-rhev-1.5.3-47.el7.x86_64
libvirt-1.1.1-23.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-125.el7.noarch
How reproducible:
100%

Steps
1.# getenforce
Enforcing
2.Prepare a normal guest,add the following xml to the guest'xml
--
--
<seclabel type='static' model='selinux' relabel='no'>
    <label>system_u:system_r:svirt_t:s0:c311,c611</label>
  </seclabel>
--

3.Change the guest image's lable which should be the same with the step2
#chcon system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img

# ll -Z /var/lib/libvirt/images/rhel7raw.img
-rw-------. root root system_u:object_r:svirt_image_t:s0:c311,c611 /var/lib/libvirt/images/rhel7.img

4.Start the guest
# virsh start rhel7
Domain rhel7 started

5.Save the guest to the root directory while the guest start completely
# virsh save rhel7 rhel7.save

Domain rhel7 saved to rhel7.save

6.Restore the guest, will report the following error
# virsh restore rhel7.save
error: Failed to restore domain from rhel7.save
error: internal error: early end of file from monitor: possible problem:
load of migration failed

7.Check the audit.log info
# ausearch -m avc -ts recent
time->Mon Feb 17 17:34:23 2014
type=SYSCALL msg=audit(1392629663.465:198): arch=c000003e syscall=59 success=yes exit=0 a0=7f4af000b1c0 a1=7f4af000bbe0 a2=7f4af000b1e0 a3=8 items=0 ppid=1 pid=11010 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c311,c611 key=(null)
type=AVC msg=audit(1392629663.465:198): avc:  denied  { read } for  pid=11010 comm="qemu-kvm" path="/root/rhel7.save" dev="sda1" ino=137136833 scontext=system_u:system_r:svirt_t:s0:c311,c611 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

8.The virsh restore opertion can be operated successfully if i copy the save file in step5 to another directory, such as /tmp
#cp test.save /tmp/test.save
#virsh restore /tmp/test.save
Domain restored from /tmp/rhel7.save

9.The step6 can be operated successfully if i use the default dynamic selinux label

Comment 1 zhenfeng wang 2014-02-18 08:25:29 UTC
I got a little different result while operation the steps in bug 1066280 in rhel6.5.z, the guest can restored, however the guest would stay in paused status after we restored the guest from the save file, moreover it will report error while we resume the guest  

pkginfo
libvirt-0.10.2-29.el6_5.4.x86_64
qemu-kvm-rhev-0.12.1.2-2.415.el6_5.4.x86_64
kernel-2.6.32-440.el6.x86_64
selinux-policy-3.7.19-231.el6.noarch

steps
1.Excute step 1~5 in comment0 in rhel6.5.z host

2.Restore the guest, didn't get error , however the guest was stay in paused status and it will report error if i resume it

# virsh restore test.save
Domain restored from /tmp/test.save

# virsh list
 Id    Name                           State
----------------------------------------------------
 15    test                           paused

# virsh resume test
error: Failed to resume domain test
error: internal error Unable to append command 'id' string

3.Check the audit log in the host, we didn't find any avc deny info

4.Got the same result with step2 in this comment, evenif i copy the save file to another directory, such as /tmp

5.The step2 in this comment can get expected result if i use the default dynamic selinux label

Comment 4 RHEL Product and Program Management 2014-04-04 21:26:41 UTC
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.


Note You need to log in before you can comment on or make changes to this bug.