On 01/17/2017 04:28 PM, Marc Hartmayer wrote:
> On Tue, Jan 17, 2017 at 03:28 PM +0100, Michal Privoznik <mprivozn@xxxxxxxxxx> wrote:
>> [Dropping libvirt-announce]
>>
>> On 01/17/2017 02:51 PM, Boris Fiuczynski wrote:
>>> On 01/17/2017 02:21 PM, Michal Privoznik wrote:
>>>>>> <target bus="scsi" dev="sda" />
>>>>>> </disk>
>>>>>> </xml_snippet>
>>>>>>
>>>>>> With v2.5.0 everything has worked. I'll take a closer look to it today.
>>>> You can try and see if this is a namespace caused issue. Just disable
>>>> the namespaces and retry. If it succeeds with namespaces disabled, the
>>>> bug indeed is in my namespaces patches.
>>>>
>>>> btw: to disable namespaces set: namespaces=[] in /etc/libvirt/qemu.conf
>>>>
>>>> Michal
>>>
>>> With disabled namespaces the problem does NOT occur.
>>>
>>>
>>
>> Okay, can you share the debug logs then please? Both daemon and domain logs.
>>
>> Michal
>
> Yes - I'll send you also the important part of audit.log (with SELINUX
> permissive).
>
> Evaluation with some combinations (0 = no, 1 = yes):
>
> | namespace enabled | SELinux enabled | works |
> |-------------------|-----------------|-------|
> | 0 | 0 | 1 |
> | 0 | 1 | 1 |
> | 1 | 0 | 1 |
> | 1 | 1 | 0 |
Yeah, I've just managed to reproduce this issue in my environment. And
something interesting is happening here:
# grep avc /var/log/audit/audit.log
type=AVC msg=audit(1484667144.960:323): avc: denied { open } for
pid=32367 comm="qemu-kvm" path="/tmp/disk1.qcow2" dev="vda2"
ino=17080167 scontext=system_u:system_r:svirt_tcg_t:s0:c551,c756
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
(I've simplified the disk path in my testing compared to your XML).
Although, if I disable namespaces I'm still unable to attach the disk. I
mean the SELinux is still denying the operation.
Michal
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
