Bug 1132467

Summary: policy blocking gnome-boxes vm creation
Product: [Fedora] Fedora Reporter: Vladimir Benes <vbenes>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: agedosier, berrange, clalancette, crobinso, dominick.grift, dwalsh, itamar, jforbes, laine, libvirt-maint, lvrabec, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-21 16:32:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vladimir Benes 2014-08-21 12:10:21 UTC 
Description of problem:

SELinux is preventing qemu-system-x86 from using the execstack access on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow virt to use execmem
Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P virt_use_execmem 1

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-72.fc21.noarch
gnome-boxes-3.13.4-1.fc21.x86_64

How reproducible:
always

Steps to Reproduce:
1.open gnome-boxes
2.create any vm from image


Actual results:
selinux blocks it

Expected results:
should work

Additional info:
setenforce=0 helps here :-)
Comment 1 Daniel Walsh 2014-08-21 12:20:20 UTC 
Did you try the suggested fix?

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow virt to use execmem
Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P virt_use_execmem 1

The problem is libvirt is not useing libvirt-kvm for creating the VM and other tooling requires execmem.

libvirt should choose a different label for launching a virtual machine that is not using -kvm.

svirt_tgt_t for example, which is allowed execmem and execstack out of the box.


Currently we ship virtual_domain_context file which includes two types.
cat /etc/selinux/targeted/contexts/virtual_domain_context 
system_u:system_r:svirt_t:s0
system_u:system_r:svirt_tcg_t:s0

libvirt is choosing the svirt_t (first type) which does not allow the execmem execstack.  If it choose the second for this type of VM the problem would go away.
Comment 2 Daniel Walsh 2014-08-21 12:21:08 UTC 
vladimir, could you include the AVC information, so that we could verify that the the qemu process that libvirt is launching.
Comment 3 Miroslav Grepl 2014-08-21 12:25:15 UTC 
How Dan wrote above ... we created svirt_tcg_t for this purpose and we have

allow svirt_tcg_t self:process { execmem execstack };

in the policy by default.
Comment 4 Cole Robinson 2014-08-21 16:32:51 UTC 
Pretty sure it's the librados issue

*** This bug has been marked as a duplicate of bug 1118504 ***