tripleo

  1. Bug #1880947
  2. Comment #14

Comment 14 for bug 1880947

Revision history for this message
Kashyap Chamarthy (kashyapc) wrote :

With the fix, here is the correct and desired behaviour:

Validate the SELinux labels
---------------------------

On the Compute node, exec into the 'nova_libvirt' container:

    [root@overcloud-0-novacompute-0 ~]# podman exec -it nova_libvirt /bin/bash

SELinux info:

    ()[root@overcloud-0-novacompute-0 /]# getenforce
    Enforcing

    ()[root@overcloud-0-novacompute-0 /]# sestatus
    SELinux status: enabled
    SELinuxfs mount: /sys/fs/selinux
    SELinux root directory: /etc/selinux
    Loaded policy name: targeted
    Current mode: enforcing
    Mode from config file: enforcing
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Memory protection checking: actual (secure)
    Max kernel policy version: 31

Run `virsh dominfo` for the guest:

    ()[root@overcloud-0-novacompute-0 /]# virsh dominfo instance-00000001
    Id: 1
    Name: instance-00000001
    UUID: 9aa82fee-ee30-44d1-a547-cb283f1edf8c
    OS Type: hvm
    State: running
    CPU(s): 1
    CPU time: 18.9s
    Max memory: 524288 KiB
    Used memory: 524288 KiB
    Persistent: yes
    Autostart: disable
    Managed save: no
    Security model: selinux
    Security DOI: 0
    Security label: system_u:system_r:svirt_t:s0:c643,c979 (enforcing)

SELinux label of the running QEMU processes:

    ()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep qemu
    system_u:system_r:svirt_t:s0:c496,c549 216371 ? 00:01:30 qemu-kvm

SELinux label for the QEMU binary file:

    ()[root@overcloud-0-novacompute-0 /]# ls -lZ /usr/libexec/qemu-kvm
    -rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 16356584 Apr 6 20:47 /usr/libexec/qemu-kvm

SELinux label for the libvirtd process:

    ()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep libvirtd
    system_u:system_r:spc_t:s0 209874 ? 00:00:01 libvirtd

SELinux label for the libvirtd binary file:

    ()[root@overcloud-0-novacompute-0 /]# ls -lZ /usr/sbin/libvirtd
    -rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 618304 Dec 20 01:11 /usr/sbin/libvirtd

                * * *

Capture evidence that sVirt in effect
-------------------------------------

Enumerate the running guests:

    ()[root@overcloud-0-novacompute-0 /]# virsh list
     Id Name State
    -----------------------------------
     1 instance-00000001 running

Enumerate the disk images the above guests are using:

    ()[root@overcloud-0-novacompute-0 /]# virsh domblklist 1
     Target Source
    -----------------------------------------------------------------------------
     vda /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk

Check the SELinux labels for the above disk image:

    ()[root@overcloud-0-novacompute-0 /]# ls -lZ /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk
    -rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c496,c549 59113472 Jun 17 11:46 /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk

They match the labels for the corresponding QEMU processes:

    ()[root@overcloud-0-novacompute-0 /]# ps -eZ | grep qemu
    system_u:system_r:svirt_t:s0:c496,c549 216371 ? 00:02:00 qemu-kvm

Squint your eyes and notice that the QEMU process and its corresponding
disk image have the matching SELinux label. In this case, the
'qemu-kvm' process for instance-00000001 & its disk image, both have the
matching labels: s0:c496,c549

                * * *