Hi guys, Thank you very much for the detailed explanation.
With the mount namespace feature turned off, there were no SELinux denials. Michal I saw your commit <https://gitlab.com/libvirt/libvirt/-/commit/22188790cad490f51e73dabcac65736c3b8871a7>, where firstly the existence of devices is checked. I assume when some correction is required, virtqemud will still need unlink permission, right? Nikola On Mon, Mar 14, 2022 at 1:12 PM Michal Prívozník <mpriv...@redhat.com> wrote: > On 3/14/22 12:45, Martin Kletzander wrote: > > [adding back libvir-list to the Cc] > > > > On Fri, Mar 11, 2022 at 03:55:03PM +0100, Nikola Knazekova wrote: > >> Hey Martin, > >> > >> thanks for your resposne. > >> > >> I don't know if it is happening in the mount namespace. Can you look > >> at the > >> logs in attachment? > >> > >> It was happening on clear install on F35, F36 and on older versions > >> probably too. > >> But it is only an issue in the new selinux policy for libvirt. In old > >> selinux policy is allowed for virtd to unlink /dev/urandom char files. > >> I just wanted to be sure if it is ok to allow it for virtqemud. > >> > > > > That actually might be the case, that it actually does set the context > > on /dev/urandom correctly and then the unlink fails for virtqemud since > > the selinux policy only accounts for libvirtd even though we switched to > > modular daemons making virtqemud the one to do the work. > > > > @Michal can you confirm what I'm guessing here since you did a lot of > > the mount namespace work which I presume is what contributes to the > > issue here. > > > > In the meantime, would you mind trying this with the mount namespace > > feature turned off in /etc/libvirt/qemu.conf like this: > > > > namespaces = [] > > > > Yeah, this will definitely help. So, a short introduction into how > libvirt starts a QEMU guest. It creates a mount namespace so that QEMU > doesn't have access to all the files in the system. In this namespace > (which is per each QEMU process) firstly very few paths are populated > independent of guest configuration (like /dev/null, /dev/random/, > /dev/urandom, etc.) - the full list is accessible here: > > https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu.conf#L565 > > (yes, it's the cgroup_device_acl list - because what you want to enable > in CGroups you want to expose in the namespace) > > Then, the paths from domain XML are created using the following function: > > > https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_namespace.c#L931 > > This function is written in a fashion that allows files to exist and if > needed [1] it simply unlink()-s existing file and creates it from > scratch again. Now, since you configured TPM for your guest with > /dev/urandom as a backend, this node is created twice. The first time > among with other cgroup_device_acl files, the second because of TPM from > your domain config. > > 1: needed is probably a bad word, and in fact we can be more clever > about it. We might check whether given device already exists and if it > has the same MAJ:MIN and act accordingly. The same applies for symlinks. > > Let me see if I can cook up a patch that implements this idea. > > Michal > >
2022-03-14 22:08:06.072+0000: starting up libvirt version: 8.0.0, package: 2.fc36 (Fedora Project, 2022-01-20-17:44:09, ), qemu version: 6.2.0qemu-6.2.0-5.fc36, kernel: 5.17.0-0.rc5.102.fc36.x86_64, hostname: fedora LC_ALL=C \ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ HOME=/var/lib/libvirt/qemu/domain-1-fedora35-6 \ XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-1-fedora35-6/.local/share \ XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-1-fedora35-6/.cache \ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-1-fedora35-6/.config \ /usr/bin/qemu-system-x86_64 \ -name guest=fedora35-6,debug-threads=on \ -S \ -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain-1-fedora35-6/master-key.aes"}' \ -machine pc-q35-6.2,usb=off,vmport=off,dump-guest-core=off,memory-backend=pc.ram \ -accel kvm \ -cpu host,migratable=on \ -m 2048 \ -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":2147483648}' \ -overcommit mem-lock=off \ -smp 2,sockets=2,cores=1,threads=1 \ -uuid e352fbab-eb95-4bdb-a99e-3e19265c40b9 \ -no-user-config \ -nodefaults \ -chardev socket,id=charmonitor,fd=28,server=on,wait=off \ -mon chardev=charmonitor,id=monitor,mode=control \ -rtc base=utc,driftfix=slew \ -global kvm-pit.lost_tick_policy=delay \ -no-hpet \ -no-shutdown \ -global ICH9-LPC.disable_s3=1 \ -global ICH9-LPC.disable_s4=1 \ -boot strict=on \ -device pcie-root-port,port=16,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \ -device pcie-root-port,port=17,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \ -device pcie-root-port,port=18,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \ -device pcie-root-port,port=19,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \ -device pcie-root-port,port=20,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 \ -device pcie-root-port,port=21,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 \ -device pcie-root-port,port=22,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 \ -device pcie-root-port,port=23,chassis=8,id=pci.8,bus=pcie.0,addr=0x2.0x7 \ -device pcie-root-port,port=24,chassis=9,id=pci.9,bus=pcie.0,multifunction=on,addr=0x3 \ -device pcie-root-port,port=25,chassis=10,id=pci.10,bus=pcie.0,addr=0x3.0x1 \ -device pcie-root-port,port=26,chassis=11,id=pci.11,bus=pcie.0,addr=0x3.0x2 \ -device pcie-root-port,port=27,chassis=12,id=pci.12,bus=pcie.0,addr=0x3.0x3 \ -device pcie-root-port,port=28,chassis=13,id=pci.13,bus=pcie.0,addr=0x3.0x4 \ -device pcie-root-port,port=29,chassis=14,id=pci.14,bus=pcie.0,addr=0x3.0x5 \ -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.2,addr=0x0 \ -device virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 \ -blockdev '{"driver":"file","filename":"/var/lib/libvirt/images/fedora35-6.qcow2","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \ -blockdev '{"node-name":"libvirt-2-format","read-only":false,"discard":"unmap","driver":"qcow2","file":"libvirt-2-storage","backing":null}' \ -device virtio-blk-pci,bus=pci.4,addr=0x0,drive=libvirt-2-format,id=virtio-disk0,bootindex=2 \ -blockdev '{"driver":"file","filename":"/home/n/Downloads/Fedora-Workstation-Live-x86_64-35-1.2.iso","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ -blockdev '{"node-name":"libvirt-1-format","read-only":true,"driver":"raw","file":"libvirt-1-storage"}' \ -device ide-cd,bus=ide.0,drive=libvirt-1-format,id=sata0-0-0,bootindex=1 \ -netdev tap,fd=29,id=hostnet0,vhost=on,vhostfd=31 \ -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:33:fd:07,bus=pci.1,addr=0x0 \ -chardev pty,id=charserial0 \ -device isa-serial,chardev=charserial0,id=serial0 \ -chardev socket,id=charchannel0,fd=27,server=on,wait=off \ -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 \ -chardev spicevmc,id=charchannel1,name=vdagent \ -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 \ -device usb-tablet,id=input0,bus=usb.0,port=1 \ -audiodev '{"id":"audio1","driver":"spice"}' \ -spice port=5900,addr=127.0.0.1,disable-ticketing=on,image-compression=off,seamless-migration=on \ -device virtio-vga,id=video0,max_outputs=1,bus=pcie.0,addr=0x1 \ -device ich9-intel-hda,id=sound0,bus=pcie.0,addr=0x1b \ -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0,audiodev=audio1 \ -chardev spicevmc,id=charredir0,name=usbredir \ -device usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 \ -chardev spicevmc,id=charredir1,name=usbredir \ -device usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 \ -device virtio-balloon-pci,id=balloon0,bus=pci.5,addr=0x0 \ -object '{"qom-type":"rng-random","id":"objrng0","filename":"/dev/urandom"}' \ -device virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.6,addr=0x0 \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ -msg timestamp=on char device redirected to /dev/pts/1 (label charserial0)