Bug 1122283

Summary: SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execstack' accesses on a process.
Product: [Fedora] Fedora Reporter: Elad Alfassa <elad>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: agedosier, berrange, clalancette, cristian.ciupitu, crobinso, dominick.grift, dwalsh, elad, itamar, jforbes, laine, libvirt-maint, lvrabec, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:ad121b522416f89af33defa195ced1eb523c10cfd21b48eadb1c9b49fc060c2c
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-08 15:04:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Elad Alfassa 2014-07-22 20:37:39 UTC
Description of problem:
Can't run GNOME oxes VMs. This popped up when I tried. Boxes should work "out of the box" without need to tweak SELinux booleans.
SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execstack' accesses on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow virt to use execmem
Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P virt_use_execmem 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that qemu-system-x86_64 should be allowed execstack access on processes labeled svirt_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c103,c599
Target Context                unconfined_u:unconfined_r:svirt_t:s0:c103,c599
Target Objects                Unknown [ process ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           qemu-system-x86-2.1.0-0.4.rc2.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-66.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.0-0.rc5.git2.2.fc22.x86_64 #1
                              SMP Fri Jul 18 23:04:00 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-22 23:36:10 IDT
Last Seen                     2014-07-22 23:36:10 IDT
Local ID                      7b854396-da35-44a2-a921-84ddc132ecaa

Raw Audit Messages
type=AVC msg=audit(1406061370.507:216): avc:  denied  { execstack } for  pid=15890 comm="qemu-system-x86" scontext=unconfined_u:unconfined_r:svirt_t:s0:c103,c599 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c103,c599 tclass=process permissive=0


type=SYSCALL msg=audit(1406061370.507:216): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7fff5a9a2000 a1=1000 a2=1000007 a3=7fbf9646ca60 items=0 ppid=1 pid=15890 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=unconfined_u:unconfined_r:svirt_t:s0:c103,c599 key=(null)

Hash: qemu-system-x86,svirt_t,svirt_t,process,execstack

Version-Release number of selected component:
selinux-policy-3.13.1-66.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-0.rc5.git2.2.fc22.x86_64
type:           libreport

Potential duplicate: bug 1116519

Comment 1 Daniel Walsh 2014-08-06 22:48:03 UTC
The problem is most qemu users don't need this priv and it is fairly dangerous.

I would argue that we should change libvirt to use a different type is the proper way to fix this problem.

Comment 2 Cole Robinson 2014-08-08 14:34:31 UTC
Can you show the libvirt XML (virsh dumpxml $vmname) and /var/log/libvirt/qemu/$vmname.log ? libvirt should be handling this correctly already

Comment 3 Elad Alfassa 2014-08-08 14:42:24 UTC
/var/log/libvirt/qemu is empty.

Here is an example of a VM. This problem affects ALL my gnome-boxes VMs.

<domain type='kvm'>
  <name>boxes-unknown-2</name>
  <uuid>eef07880-c764-4b61-919e-6884a1bbe120</uuid>
  <title>Fedora-Live-Workstation-x86_64-rawhide-20140703 2</title>
  <metadata>
    <boxes:gnome-boxes xmlns:boxes="http://live.gnome.org/Boxes/">
      <os-state>installed</os-state>
      <media>/home/elad/Fedora-Live-Workstation-x86_64-rawhide-20140703.iso</media>
    </boxes:gnome-boxes>
  </metadata>
  <memory unit='KiB'>2122428</memory>
  <currentMemory unit='KiB'>2122428</currentMemory>
  <vcpu placement='static'>8</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-passthrough'>
    <topology sockets='1' cores='4' threads='2'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none'/>
      <source file='/home/elad/.local/share/gnome-boxes/images/boxes-unknown-2'/>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/home/elad/Fedora-Live-Workstation-x86_64-rawhide-20140703.iso' startupPolicy='optional'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </controller>
    <controller type='ccid' index='0'/>
    <interface type='bridge'>
      <mac address='52:54:00:22:9c:02'/>
      <source bridge='virbr0'/>
      <model type='rtl8139'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <smartcard mode='passthrough' type='spicevmc'>
      <address type='ccid' controller='0' slot='0'/>
    </smartcard>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <image compression='off'/>
    </graphics>
    <sound model='ac97'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </memballoon>
  </devices>
</domain>

Comment 4 Cole Robinson 2014-08-08 14:46:23 UTC
Sorry, that should have been ~/.cache/libvirt/qemu/log/$vmname.log, please provide that as well

Comment 5 Elad Alfassa 2014-08-08 14:51:09 UTC
LC_ALL=C PATH=/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/home/elad/.local/bin:/home/elad/bin HOME=/home/elad USER=elad LOGNAME=elad QEMU_AUDIO_DRV=spice /usr/bin/qemu-kvm -name boxes-unknown-2 -S -machine pc-i440fx-2.0,accel=kvm,usb=off -cpu host -m 2073 -realtime mlock=off -smp 8,sockets=1,cores=4,threads=2 -uuid eef07880-c764-4b61-919e-6884a1bbe120 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/home/elad/.config/libvirt/qemu/lib/boxes-unknown-2.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -device usb-ccid,id=ccid0 -drive file=/home/elad/.local/share/gnome-boxes/images/boxes-unknown-2,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -drive file=/home/elad/Fedora-Live-Workstation-x86_64-rawhide-20140703.iso,if=none,id=drive-ide0-1-0,readonly=on,format=raw -device ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -netdev tap,fd=22,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:22:9c:02,bus=pci.0,addr=0x3 -chardev spicevmc,id=charsmartcard0,name=smartcard -device ccid-card-passthru,chardev=charsmartcard0,id=smartcard0,bus=ccid0.0 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device AC97,id=sound0,bus=pci.0,addr=0x4 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -chardev spicevmc,id=charredir2,name=usbredir -device usb-redir,chardev=charredir2,id=redir2 -chardev spicevmc,id=charredir3,name=usbredir -device usb-redir,chardev=charredir3,id=redir3 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
Domain id=7 is tainted: host-cpu
/usr/bin/qemu-system-x86_64: error while loading shared libraries: librados.so.2: cannot enable executable stack as shared object requires: Permission denied
2014-08-08 14:50:03.106+0000: shutting down

Comment 6 Cole Robinson 2014-08-08 14:55:26 UTC
Can you do:

  virt-xml --connect qemu:///session --edit --cpu clearxml=yes boxes-unknown-2

Then 

  virsh start boxes-unknown-2

And see if the error persists?

Comment 7 Elad Alfassa 2014-08-08 14:59:50 UTC
Same error:

error: Failed to start domain boxes-unknown-2
error: internal error: process exited while connecting to monitor: /usr/bin/qemu-system-x86_64: error while loading shared libraries: librados.so.2: cannot enable executable stack as shared object requires: Permission denied

Comment 8 Cole Robinson 2014-08-08 15:04:28 UTC
thanks for the info. now that I look at the error I see it's some library messing up, and googling reveals there's another bug tracking the actual culprit

*** This bug has been marked as a duplicate of bug 1118504 ***