Change in vdsm[master]: lvm: Set libvirt image selinux label on block devices backin...

danken Wed, 01 Oct 2014 03:58:36 -0700

Dan Kenigsberg has submitted this change and it was merged.

Change subject: lvm: Set libvirt image selinux label on block devices backing 
vdsm images
......................................................................



lvm: Set libvirt image selinux label on block devices backing vdsm images

The SELinux sVirt protection for QEMU virtual machines is setup in such
a way that a domain can only access files or devices which are labelled
svirt_image_t label. Libvirt sets this label on block devices backing
images when it starts a vm.

On Fedora 19, 20 and EL 7, the selinux label on the block device is lost
after refreshing a logical volume.  The root cause of this issue is
systemd-udevd, trying to "preserve" the selinux label upon device change
event.

Loosing the selinux label causes the vm to pause. The only way to use
the vm is to restart the vm.  Practically, this breaks thin provisioning
on block storage, since after each automatic extend, a logical volume
must be refreshed.

This patch adds a temporary hack, by updating vdsm lvm rules to set the
libvirt image selinux label on vdsm images. This change should be
reverted when a fix is available in systemd-udevd.

This hack is enabled by default only for EL7, since we hope to get a
fix for systemd-udevd soon for Fedora.

To enable this hack on other platforms:

    ./configure --enable-chcon-hack

Change-Id: I95f85c7b548b2c058693b20b1fa177714a6e1a10
Bug-Url: https://bugzilla.redhat.com/1127460
Releates-To: https://bugzilla.redhat.com/1147910
Signed-off-by: Nir Soffer <nsof...@redhat.com>
Reviewed-on: http://gerrit.ovirt.org/33492
Reviewed-by: Dan Kenigsberg <dan...@redhat.com>
Reviewed-by: Federico Simoncelli <fsimo...@redhat.com>
---
M configure.ac
M vdsm.spec.in
M vdsm/storage/Makefile.am
R vdsm/storage/vdsm-lvm.rules.tpl.in
4 files changed, 52 insertions(+), 3 deletions(-)

Approvals:
  Nir Soffer: Verified
  Federico Simoncelli: Looks good to me, but someone else must approve
  Dan Kenigsberg: Looks good to me, approved



-- 
To view, visit http://gerrit.ovirt.org/33492
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I95f85c7b548b2c058693b20b1fa177714a6e1a10
Gerrit-PatchSet: 8
Gerrit-Project: vdsm
Gerrit-Branch: master
Gerrit-Owner: Nir Soffer <nsof...@redhat.com>
Gerrit-Reviewer: Allon Mureinik <amure...@redhat.com>
Gerrit-Reviewer: Dan Kenigsberg <dan...@redhat.com>
Gerrit-Reviewer: Federico Simoncelli <fsimo...@redhat.com>
Gerrit-Reviewer: Francesco Romani <from...@redhat.com>
Gerrit-Reviewer: Nir Soffer <nsof...@redhat.com>
Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com>
Gerrit-Reviewer: automat...@ovirt.org
Gerrit-Reviewer: oVirt Jenkins CI Server
_______________________________________________
vdsm-patches mailing list
vdsm-patches@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/vdsm-patches

Change in vdsm[master]: lvm: Set libvirt image selinux label on block devices backin...

Reply via email to