Dan Kenigsberg has submitted this change and it was merged.
Change subject: lvm: Set libvirt image selinux label on block devices backing
vdsm images
......................................................................
lvm: Set libvirt image selinux label on block devices backing vdsm images
The SELinux sVirt protection for QEMU virtual machines is setup in such
a way that a domain can only access files or devices which are labelled
svirt_image_t label. Libvirt sets this label on block devices backing
images when it starts a vm.
On Fedora 19, 20 and EL 7, the selinux label on the block device is lost
after refreshing a logical volume. The root cause of this issue is
systemd-udevd, trying to "preserve" the selinux label upon device change
event.
Loosing the selinux label causes the vm to pause. The only way to use
the vm is to restart the vm. Practically, this breaks thin provisioning
on block storage, since after each automatic extend, a logical volume
must be refreshed.
This patch adds a temporary hack, by updating vdsm lvm rules to set the
libvirt image selinux label on vdsm images. This change should be
reverted when a fix is available in systemd-udevd.
This hack is enabled by default only for EL7, since we hope to get a
fix for systemd-udevd soon for Fedora.
To enable this hack on other platforms:
./configure --enable-chcon-hack
Change-Id: I95f85c7b548b2c058693b20b1fa177714a6e1a10
Bug-Url: https://bugzilla.redhat.com/1127460
Releates-To: https://bugzilla.redhat.com/1147910
Signed-off-by: Nir Soffer <[email protected]>
Reviewed-on: http://gerrit.ovirt.org/33492
Reviewed-by: Dan Kenigsberg <[email protected]>
Reviewed-by: Federico Simoncelli <[email protected]>
---
M configure.ac
M vdsm.spec.in
M vdsm/storage/Makefile.am
R vdsm/storage/vdsm-lvm.rules.tpl.in
4 files changed, 52 insertions(+), 3 deletions(-)
Approvals:
Nir Soffer: Verified
Federico Simoncelli: Looks good to me, but someone else must approve
Dan Kenigsberg: Looks good to me, approved
--
To view, visit http://gerrit.ovirt.org/33492
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I95f85c7b548b2c058693b20b1fa177714a6e1a10
Gerrit-PatchSet: 8
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Nir Soffer <[email protected]>
Gerrit-Reviewer: Allon Mureinik <[email protected]>
Gerrit-Reviewer: Dan Kenigsberg <[email protected]>
Gerrit-Reviewer: Federico Simoncelli <[email protected]>
Gerrit-Reviewer: Francesco Romani <[email protected]>
Gerrit-Reviewer: Nir Soffer <[email protected]>
Gerrit-Reviewer: Sandro Bonazzola <[email protected]>
Gerrit-Reviewer: [email protected]
Gerrit-Reviewer: oVirt Jenkins CI Server
_______________________________________________
vdsm-patches mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches
