On Tue, Jan 17, 2017 at 04:41:57PM +0100, Michal Privoznik wrote:
On 01/17/2017 04:28 PM, Marc Hartmayer wrote:
> On Tue, Jan 17, 2017 at 03:28 PM +0100, Michal Privoznik <mprivozn(a)redhat.com>
wrote:
>> [Dropping libvirt-announce]
>>
>> On 01/17/2017 02:51 PM, Boris Fiuczynski wrote:
>>> On 01/17/2017 02:21 PM, Michal Privoznik wrote:
>>>>>> <target bus="scsi" dev="sda" />
>>>>>> </disk>
>>>>>> </xml_snippet>
>>>>>>
>>>>>> With v2.5.0 everything has worked. I'll take a closer look
to it today.
>>>> You can try and see if this is a namespace caused issue. Just disable
>>>> the namespaces and retry. If it succeeds with namespaces disabled, the
>>>> bug indeed is in my namespaces patches.
>>>>
>>>> btw: to disable namespaces set: namespaces=[] in /etc/libvirt/qemu.conf
>>>>
>>>> Michal
>>>
>>> With disabled namespaces the problem does NOT occur.
>>>
>>>
>>
>> Okay, can you share the debug logs then please? Both daemon and domain logs.
>>
>> Michal
>
> Yes - I'll send you also the important part of audit.log (with SELINUX
> permissive).
>
> Evaluation with some combinations (0 = no, 1 = yes):
>
> | namespace enabled | SELinux enabled | works |
> |-------------------|-----------------|-------|
> | 0 | 0 | 1 |
> | 0 | 1 | 1 |
> | 1 | 0 | 1 |
> | 1 | 1 | 0 |
Yeah, I've just managed to reproduce this issue in my environment. And
something interesting is happening here:
# grep avc /var/log/audit/audit.log
type=AVC msg=audit(1484667144.960:323): avc: denied { open } for
pid=32367 comm="qemu-kvm" path="/tmp/disk1.qcow2"
dev="vda2"
ino=17080167 scontext=system_u:system_r:svirt_tcg_t:s0:c551,c756
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
(I've simplified the disk path in my testing compared to your XML).
Although, if I disable namespaces I'm still unable to attach the disk. I
mean the SELinux is still denying the operation.
The problem is the qemuSecuritySetDiskLabel() method. It skips labelling
the disk if namespace are enabled, with the claim that the namespace
code already labelled stuff. This is not true though, the namespace code
only labelled block devices, not file backed devices.
I'm not seeing an immediately easy fix for this since we can't tell the
security driver to only label file backed devices.
I think we need to take the security manager code out of the
qemuDomainAttachDeviceMknodHelper method, and the change the
qemuSecuritySetDiskLabel() method to run inside the namespace.
I'm thinking we've hit the limit of what we should try to force into the
3.0.0 release.
My vote at this poiint is to change the code so that namespaces are
disabled out of the box, and do a 3.0.0 release. Look at fixing the
bugs to turn it back on by default in 3.1.0
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://entangle-photo.org -o-
http://search.cpan.org/~danberr/ :|