-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0.beta
What were you trying to do that didn't work?
VM migrate fail with ssh desturi when enable selinux
Please provide the package NVR for which bug is seen:
libvirt-10.5.0-5.el10.x86_64
qemu-kvm-9.0.0-6.el10.x86_64
selinux-policy-40.13.7-1.el10.noarch
swtpm-0.9.0-2.el10.x86_64
swtpm-selinux-0.9.0-2.el10.noarch
How reproducible:
100%
Steps to reproduce:
1. Prepare source host and target host. And copy source host's SSH public key to target host.
2. Prepare VM on source host. Start VM.
3. Prepare port.
# firewall-cmd --add-port=49152/tcp --zone=public --permanent
# firewall-cmd --reload
4. VM migrate.
# virsh -c 'qemu:///system' migrate --live --p2p --verbose --domain avocado-vt-vm1 --desturi qemu+ssh://\{target ip}/system
error: Cannot recv data: libvirt: error : cannot execute binary ssh: Permission denied: Connection reset by peer
5. Audit log.
# ausearch -m avc ---- time->Mon Aug 12 03:03:11 2024 type=PROCTITLE msg=audit(1723446191.400:36196): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1723446191.400:36196): arch=c000003e syscall=16 success=yes exit=0 a0=1a a1=400454ca a2=7f0b073ff060 a3=0 items=0 ppid=1 pid=194566 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1723446191.400:36196): avc: denied \{ relabelto } for pid=194566 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1 type=AVC msg=audit(1723446191.400:36196): avc: denied \{ relabelfrom } for pid=194566 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1 ---- time->Mon Aug 12 03:03:11 2024 type=PROCTITLE msg=audit(1723446191.463:36213): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1723446191.463:36213): arch=c000003e syscall=188 success=yes exit=0 a0=7f0af0043e60 a1=7f0b0fb46197 a2=7f0af0044070 a3=2d items=0 ppid=194566 pid=194693 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1723446191.463:36213): avc: denied \{ relabelfrom } for pid=194693 comm="rpc-virtqemud" name="jeos-27-x86_64.qcow2" dev="dm-0" ino=204209344 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 ---- time->Mon Aug 12 03:03:11 2024 type=PROCTITLE msg=audit(1723446191.463:36214): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1723446191.463:36214): arch=c000003e syscall=188 success=yes exit=0 a0=7f0af0034340 a1=7f0b0fb46197 a2=7f0af003a370 a3=2d items=0 ppid=194566 pid=194693 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1723446191.463:36214): avc: denied \{ relabelfrom } for pid=194693 comm="rpc-virtqemud" name="1-avocado-vt-vm1-swtpm.sock" dev="tmpfs" ino=39693 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1
Expected results:
VM migrate successful.
Actual results:
VM migrate fail.
Additional info:
When permissive status, vm migrate successful.
# getenforce
Permissive
# virsh -c 'qemu:///system' migrate --live --p2p --verbose --domain avocado-vt-vm1 --desturi qemu+ssh://\{target ip}}/system
Migration: [100.00 %]
