Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1011063 - libvirt doesn't label backing sockets (eg. where a qcow2 file references an NBD resource as backing file)
Summary: libvirt doesn't label backing sockets (eg. where a qcow2 file references an N...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: TRACKER-bugs-affecting-libguestfs
TreeView+ depends on / blocked
 
Reported: 2013-09-23 14:47 UTC by Richard W.M. Jones
Modified: 2016-04-26 21:22 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-10 14:55:04 UTC
Embargoed:

Attachments (Terms of Use)

Description Richard W.M. Jones 2013-09-23 14:47:08 UTC 
Description of problem:

In qemu it's possible to set arbitrary "URIs" as backing sources.
Where by "URI" I mean some qemu URI such as nbd://...  eg:

$ getenforce 
Enforcing

$ nbdkit -r /usr/lib64/nbdkit/plugins/nbdkit-xz-plugin.so \
      file=/tmp/f17x64.img.xz -f -U /tmp/socket &

$ qemu-img create -f qcow2 -b 'nbd:unix:/tmp/socket' overlay.qcow2
Formatting 'overlay.qcow2', fmt=qcow2 size=34359738368 backing_file='nbd:unix:/tmp/socket' encryption=off cluster_size=65536 lazy_refcounts=off 
$ qemu-img info overlay.qcow2 
image: overlay.qcow2
file format: qcow2
virtual size: 32G (34359738368 bytes)
disk size: 196K
cluster_size: 65536
backing file: nbd:unix:/tmp/socket    <--- note

$ guestfish -a overlay.qcow2 -i -v
[...]
libguestfs: [06549ms] launch libvirt guest
libguestfs: error: could not create appliance through libvirt: internal error process exited while connecting to monitor: qemu-system-x86_64: -drive file=/tmp/overlay.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=writeback: Failed to connect to socket: Permission denied
qemu-system-x86_64: -drive file=/tmp/overlay.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=writeback: could not open disk image /tmp/overlay.qcow2: Permission denied
 [code=1 domain=10]

$ killall nbdkit ; rm /tmp/socket

The SELinux error is:

time->Mon Sep 23 15:44:55 2013
type=SYSCALL msg=audit(1379947495.028:30674): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7fff50eb1e80 a2=6e a3=b items=0 ppid=1 pid=13478 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:system_r:svirt_t:s0:c244,c608 key=(null)
type=AVC msg=audit(1379947495.028:30674): avc:  denied  { write } for  pid=13478 comm="qemu-system-x86" name="socket" dev="dm-2" ino=1968389 scontext=unconfined_u:system_r:svirt_t:s0:c244,c608 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file

which indicates that the socket has not been relabelled.

Version-Release number of selected component (if applicable):

libvirt-1.0.5.5-1.fc19.x86_64

How reproducible:

100%

Steps to Reproduce:
1. See above.

Additional information:

This works fine if SELinux is permissive.
Comment 1 Richard W.M. Jones 2013-09-23 14:50:18 UTC 
BTW this is no mere theoretical oddity.  It affects a useful
use-case for virt-resize:
http://rwmj.wordpress.com/2013/09/23/virt-resize-from-an-nbd-source/#content
Comment 2 Cole Robinson 2016-04-10 14:55:04 UTC 
Following those steps with F24 libvirt works fine... the appliance starts up (verified I could see seabios output in the logs). So this appears to be fixed
Note You need to log in before you can comment on or make changes to this bug.