Re: [libvirt] Availability of libvirt-3.0.0 release candidate 2
On 01/17/2017 04:28 PM, Marc Hartmayer wrote:
On Tue, Jan 17, 2017 at 03:28 PM +0100, Michal Privoznik
<mprivozn(a)redhat.com> wrote:
> [Dropping libvirt-announce]
>
> On 01/17/2017 02:51 PM, Boris Fiuczynski wrote:
>> On 01/17/2017 02:21 PM, Michal Privoznik wrote:
>>>>> <target bus="scsi" dev="sda" />
>>>>> </disk>
>>>>> </xml_snippet>
>>>>>
>>>>> With v2.5.0 everything has worked. I'll take a closer look to it
today.
>>> You can try and see if this is a namespace caused issue. Just disable
>>> the namespaces and retry. If it succeeds with namespaces disabled, the
>>> bug indeed is in my namespaces patches.
>>>
>>> btw: to disable namespaces set: namespaces=[] in /etc/libvirt/qemu.conf
>>>
>>> Michal
>>
>> With disabled namespaces the problem does NOT occur.
>>
>>
>
> Okay, can you share the debug logs then please? Both daemon and domain logs.
>
> Michal
Yes - I'll send you also the important part of audit.log (with SELINUX
permissive).
Evaluation with some combinations (0 = no, 1 = yes):
| namespace enabled | SELinux enabled | works |
|-------------------|-----------------|-------|
| 0 | 0 | 1 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
Yeah, I've just managed to reproduce this issue in my environment. And
something interesting is happening here:
# grep avc /var/log/audit/audit.log
type=AVC msg=audit(1484667144.960:323): avc: denied { open } for
pid=32367 comm="qemu-kvm" path="/tmp/disk1.qcow2"
dev="vda2"
ino=17080167 scontext=system_u:system_r:svirt_tcg_t:s0:c551,c756
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
(I've simplified the disk path in my testing compared to your XML).
Although, if I disable namespaces I'm still unable to attach the disk. I
mean the SELinux is still denying the operation.
Michal