Bug 1009433

Summary:	SELinux is preventing /usr/bin/qemu-system-x86_64 from 'create' accesses on the rawip_socket .
Product:	[Fedora] Fedora	Reporter:	xihaha400 <xihaha400>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED NOTABUG	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:9ff1d87c2a94709f48c79fa13c20186fbe6cc3cf168cae917b8bbb272933f16a
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-09-18 15:03:55 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description xihaha400 2013-09-18 12:44:17 UTC

Description of problem:
SELinux is preventing /usr/bin/qemu-system-x86_64 from 'create' accesses on the rawip_socket .

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If 您要 allow virt to use rawip
Then 您必须启用 'virt_use_rawip' 布尔值告知 SELinux 此情况。
您可以阅读 'None' 手册页面来了解详情。
Do
setsebool -P virt_use_rawip 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If 您确定应默认允许 qemu-system-x86_64 create 访问  rawip_socket。
Then 您应该将这个情况作为 bug 报告。
您可以生成本地策略模块允许这个访问。
Do
请执行以下命令此时允许这个访问：
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:svirt_t:s0:c59,c1017
Target Context                unconfined_u:system_r:svirt_t:s0:c59,c1017
Target Objects                 [ rawip_socket ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <未知>
Host                          (removed)
Source RPM Packages           qemu-system-x86-1.4.2-7.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.10-200.fc19.x86_64 #1 SMP Thu
                              Aug 29 19:05:45 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-09-13 16:41:51 CST
Last Seen                     2013-09-13 16:41:52 CST
Local ID                      780418e9-9952-49ef-bf6a-a7e1c90cb5d2

Raw Audit Messages
type=AVC msg=audit(1379061712.856:1860): avc:  denied  { create } for  pid=27245 comm="qemu-system-x86" scontext=unconfined_u:system_r:svirt_t:s0:c59,c1017 tcontext=unconfined_u:system_r:svirt_t:s0:c59,c1017 tclass=rawip_socket


type=SYSCALL msg=audit(1379061712.856:1860): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=80002 a2=1 a3=3 items=0 ppid=1 pid=27245 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=unconfined_u:system_r:svirt_t:s0:c59,c1017 key=(null)

Hash: qemu-system-x86,svirt_t,svirt_t,rawip_socket,create

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.11-200.fc19.x86_64
type:           libreport

Comment 1 Daniel Walsh 2013-09-18 15:03:55 UTC

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If 您要 allow virt to use rawip
Then 您必须启用 'virt_use_rawip' 布尔值告知 SELinux 此情况。
您可以阅读 'None' 手册页面来了解详情。
Do
setsebool -P virt_use_rawip 1