[ovirt-devel] SELinux issue with f20 libvirtd

Simone Tiraboschi stirabos at redhat.com
Thu Apr 2 07:13:27 UTC 2015



----- Original Message -----
> From: "Eric Blake" <eblake at redhat.com>
> To: "Nir Soffer" <nsoffer at redhat.com>, "Simone Tiraboschi" <stirabos at redhat.com>
> Cc: devel at ovirt.org
> Sent: Wednesday, April 1, 2015 6:04:18 PM
> Subject: Re: [ovirt-devel] SELinux issue with f20 libvirtd
> 
> On 04/01/2015 09:58 AM, Nir Soffer wrote:
> 
> >>
> >> and /dev/vport2p1 seams to be badly labeled:
> >> crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0
> >> /dev/vport2p1
> >>
> >> I was using:
> >> libvirt-daemon.x86_64            1.1.3.9-1.fc20     @updates
> >> selinux-policy.noarch            3.12.1-197.fc20    @updates
> >> selinux-policy-targeted.noarch   3.12.1-197.fc20    @updates
> >>
> >> The issue doesn't reproduce enabling virt-preview repo and using a fresher
> >> libvirtd.
> >>
> >> Should I open a bug to have something back-ported on f20 libvirt or should
> >> we
> >> explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for
> >> master?
> > 
> > I think you should open a bug for libvirt and or selinux. This is probably
> > an
> > selinux issue, but libvirt guys should be in the loop.
> 
> I'm not sure if there have been any libvirt patches between 1.1.3 and
> 1.2.9 that affect libvirt labeling, or if it is a selinux problem.  But
> if there was a libvirt patch, we can certainly backport it to F20 with a BZ.

Thanks,
it's probably a bit more complex:
I was running it in nested environment using also the oVirt guest agent on the VM where I was deploying hosted-engine
and /dev/vport2p1 is used by the guest agent to communicate with the physical host.
Not sure why but I got a denial for /usr/sbin/ldconfig trying to access it and this is enough to prevent libvirtd to start the engine VM.
I'm not sure but I think that it's not reproducible on a physical  environment.
I opened a bug to track it:
https://bugzilla.redhat.com/show_bug.cgi?id=1208138
  
 
> > If the platform cannot provide a fix for fedora 20, we can require
> > virt-preview.
> > 
> > Adding Eric who can give a better answer.
> > 
> > Nir
> > 
> > 
> 
> --
> Eric Blake   eblake redhat com    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
> 
> 



More information about the Devel mailing list