With the fix, here is the correct and desired behaviour:
Validate the SELinux labels ---------------------------
On the Compute node, exec into the 'nova_libvirt' container:
[root@overcloud-0-novacompute-0 ~]# podman exec -it nova_libvirt /bin/bash
SELinux info:
()[root@overcloud-0-novacompute-0 /]# getenforce Enforcing
()[root@overcloud-0-novacompute-0 /]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
Run `virsh dominfo` for the guest:
()[root@overcloud-0-novacompute-0 /]# virsh dominfo instance-00000001 Id: 1 Name: instance-00000001 UUID: 9aa82fee-ee30-44d1-a547-cb283f1edf8c OS Type: hvm State: running CPU(s): 1 CPU time: 18.9s Max memory: 524288 KiB Used memory: 524288 KiB Persistent: yes Autostart: disable Managed save: no Security model: selinux Security DOI: 0 Security label: system_u:system_r:svirt_t:s0:c643,c979 (enforcing)
SELinux label of the running QEMU processes:
()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep qemu system_u:system_r:svirt_t:s0:c496,c549 216371 ? 00:01:30 qemu-kvm
SELinux label for the QEMU binary file:
()[root@overcloud-0-novacompute-0 /]# ls -lZ /usr/libexec/qemu-kvm -rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 16356584 Apr 6 20:47 /usr/libexec/qemu-kvm
SELinux label for the libvirtd process:
()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep libvirtd system_u:system_r:spc_t:s0 209874 ? 00:00:01 libvirtd
SELinux label for the libvirtd binary file:
()[root@overcloud-0-novacompute-0 /]# ls -lZ /usr/sbin/libvirtd -rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 618304 Dec 20 01:11 /usr/sbin/libvirtd
* * *
Capture evidence that sVirt in effect -------------------------------------
Enumerate the running guests:
()[root@overcloud-0-novacompute-0 /]# virsh list Id Name State ----------------------------------- 1 instance-00000001 running
Enumerate the disk images the above guests are using:
()[root@overcloud-0-novacompute-0 /]# virsh domblklist 1 Target Source ----------------------------------------------------------------------------- vda /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk
Check the SELinux labels for the above disk image:
()[root@overcloud-0-novacompute-0 /]# ls -lZ /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk -rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c496,c549 59113472 Jun 17 11:46 /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk
They match the labels for the corresponding QEMU processes:
()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep qemu system_u:system_r:svirt_t:s0:c496,c549 216371 ? 00:02:00 qemu-kvm
Squint your eyes and notice that the QEMU process and its corresponding disk image have the matching SELinux label. In this case, the 'qemu-kvm' process for instance-00000001 & its disk image, both have the matching labels: s0:c496,c549
With the fix, here is the correct and desired behaviour:
Validate the SELinux labels ------- ------- ------
-------
On the Compute node, exec into the 'nova_libvirt' container:
[root@ overcloud- 0-novacompute- 0 ~]# podman exec -it nova_libvirt /bin/bash
SELinux info:
()[ root@overcloud- 0-novacompute- 0 /]# getenforce
Enforcing
()[ root@overcloud- 0-novacompute- 0 /]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
Run `virsh dominfo` for the guest:
()[ root@overcloud- 0-novacompute- 0 /]# virsh dominfo instance-00000001 ee30-44d1- a547-cb283f1edf 8c u:system_ r:svirt_ t:s0:c643, c979 (enforcing)
Id: 1
Name: instance-00000001
UUID: 9aa82fee-
OS Type: hvm
State: running
CPU(s): 1
CPU time: 18.9s
Max memory: 524288 KiB
Used memory: 524288 KiB
Persistent: yes
Autostart: disable
Managed save: no
Security model: selinux
Security DOI: 0
Security label: system_
SELinux label of the running QEMU processes:
()[ root@overcloud- 0-novacompute- 0 /]# ps -eZ | grep qemu u:system_ r:svirt_ t:s0:c496, c549 216371 ? 00:01:30 qemu-kvm
system_
SELinux label for the QEMU binary file:
()[ root@overcloud- 0-novacompute- 0 /]# ls -lZ /usr/libexec/ qemu-kvm u:object_ r:container_ ro_file_ t:s0 16356584 Apr 6 20:47 /usr/libexec/ qemu-kvm
-rwxr-xr-x. 1 root root system_
SELinux label for the libvirtd process:
()[ root@overcloud- 0-novacompute- 0 /]# ps -eZ | grep libvirtd u:system_ r:spc_t: s0 209874 ? 00:00:01 libvirtd
system_
SELinux label for the libvirtd binary file:
()[ root@overcloud- 0-novacompute- 0 /]# ls -lZ /usr/sbin/libvirtd u:object_ r:container_ ro_file_ t:s0 618304 Dec 20 01:11 /usr/sbin/libvirtd
-rwxr-xr-x. 1 root root system_
* * *
Capture evidence that sVirt in effect ------- ------- ------- ------- --
-------
Enumerate the running guests:
()[ root@overcloud- 0-novacompute- 0 /]# virsh list ------- ------- ------- ------- ----
Id Name State
---
1 instance-00000001 running
Enumerate the disk images the above guests are using:
()[ root@overcloud- 0-novacompute- 0 /]# virsh domblklist 1 ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---- nova/instances/ dfad20d8- 8152-46ec- bdd9-b9be2dd0c5 38/disk
Target Source
---
vda /var/lib/
Check the SELinux labels for the above disk image:
()[ root@overcloud- 0-novacompute- 0 /]# ls -lZ /var/lib/ nova/instances/ dfad20d8- 8152-46ec- bdd9-b9be2dd0c5 38/disk u:object_ r:svirt_ image_t: s0:c496, c549 59113472 Jun 17 11:46 /var/lib/ nova/instances/ dfad20d8- 8152-46ec- bdd9-b9be2dd0c5 38/disk
-rw-r--r--. 1 qemu qemu system_
They match the labels for the corresponding QEMU processes:
()[ root@overcloud- 0-novacompute- 0 /]# ps -eZ | grep qemu u:system_ r:svirt_ t:s0:c496, c549 216371 ? 00:02:00 qemu-kvm
system_
Squint your eyes and notice that the QEMU process and its corresponding
disk image have the matching SELinux label. In this case, the
'qemu-kvm' process for instance-00000001 & its disk image, both have the
matching labels: s0:c496,c549
* * *