On Tue, Jan 17, 2017 at 04:41:57PM +0100, Michal Privoznik wrote:
> On 01/17/2017 04:28 PM, Marc Hartmayer wrote:
> > On Tue, Jan 17, 2017 at 03:28 PM +0100, Michal Privoznik <mprivozn@xxxxxxxxxx> wrote:
> >> [Dropping libvirt-announce]
> >>
> >> On 01/17/2017 02:51 PM, Boris Fiuczynski wrote:
> >>> On 01/17/2017 02:21 PM, Michal Privoznik wrote:
> >>>>>> <target bus="scsi" dev="sda" />
> >>>>>> </disk>
> >>>>>> </xml_snippet>
> >>>>>>
> >>>>>> With v2.5.0 everything has worked. I'll take a closer look to it today.
> >>>> You can try and see if this is a namespace caused issue. Just disable
> >>>> the namespaces and retry. If it succeeds with namespaces disabled, the
> >>>> bug indeed is in my namespaces patches.
> >>>>
> >>>> btw: to disable namespaces set: namespaces=[] in /etc/libvirt/qemu.conf
> >>>>
> >>>> Michal
> >>>
> >>> With disabled namespaces the problem does NOT occur.
> >>>
> >>>
> >>
> >> Okay, can you share the debug logs then please? Both daemon and domain logs.
> >>
> >> Michal
> >
> > Yes - I'll send you also the important part of audit.log (with SELINUX
> > permissive).
> >
> > Evaluation with some combinations (0 = no, 1 = yes):
> >
> > | namespace enabled | SELinux enabled | works |
> > |-------------------|-----------------|-------|
> > | 0 | 0 | 1 |
> > | 0 | 1 | 1 |
> > | 1 | 0 | 1 |
> > | 1 | 1 | 0 |
>
> Yeah, I've just managed to reproduce this issue in my environment. And
> something interesting is happening here:
>
> # grep avc /var/log/audit/audit.log
> type=AVC msg=audit(1484667144.960:323): avc: denied { open } for
> pid=32367 comm="qemu-kvm" path="/tmp/disk1.qcow2" dev="vda2"
> ino=17080167 scontext=system_u:system_r:svirt_tcg_t:s0:c551,c756
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>
>
> (I've simplified the disk path in my testing compared to your XML).
>
> Although, if I disable namespaces I'm still unable to attach the disk. I
> mean the SELinux is still denying the operation.
I see the same behaviour Marc is reporting. If namespaces are enabled,
hotplug fails, if disabled, it works.
When namespace are disabled I see 2 lines from the sec driver in the logs:
2017-01-17 16:05:50.539+0000: 21387: info : virSecuritySELinuxSetFileconHelper:1155 : Setting SELinux context on '/tmp/virtd-test_e3hnhh5/disk1.qcow2' to 'system_u:object_r:svirt_image_t:s0:c203,c529'
2017-01-17 16:05:50.540+0000: 21387: info : virSecurityDACSetOwnershipInternal:555 : Setting DAC user and group on '/tmp/virtd-test_e3hnhh5/disk1.qcow2' to '107:107'
with namespaces enabled, those lines never appear and we get the permission
problem.
BTW, your test put the file directlry in /tmp - I'd suggest using a subdir
like Marc has, since /tmp has some "special" behaviour with SELinux.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
