Bug 1145081

Summary: SELinux is preventing /usr/bin/qemu-system-x86_64 from 'open' accesses on the file /tmp/libguestfsf7G3Hr/overlay1.
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, agedosier, akurtako, berrange, clalancette, crobinso, dgilbert, dominick.grift, dwalsh, itamar, jforbes, laine, libvirt-maint, lvrabec, mgrepl, mikhail.v.gavrilov, misko.herko, rjones, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:7e75f46e88f6e46a85e26ceb20fbae88684bc45171f4d1190a39431cde31e8cc
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-20 19:48:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
libguestfs-test-tool log none

Description Alexander Bokovoy 2014-09-22 10:50:41 UTC 
Description of problem:
Tried to create new virtual machine using virsh and start it.
SELinux is preventing /usr/bin/qemu-system-x86_64 from 'open' accesses on the file /tmp/libguestfsf7G3Hr/overlay1.

*****  Plugin catchall (100. confidence) suggests   **************************
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c442,c886
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /tmp/libguestfsf7G3Hr/overlay1 [ file ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           qemu-system-x86-2.1.1-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-82.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.1-301.mst.fc21.x86_64 #1 SMP
                              Tue Aug 26 02:24:06 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-09-22 13:47:13 EEST
Last Seen                     2014-09-22 13:47:13 EEST
Local ID                      5d57d7db-d50c-4eeb-a670-64625d3bc530

Raw Audit Messages
type=AVC msg=audit(1411382833.239:775): avc:  denied  { open } for  pid=21602 comm="qemu-system-x86" path="/tmp/libguestfsf7G3Hr/overlay1" dev="tmpfs" ino=215844 scontext=system_u:system_r:svirt_t:s0:c442,c886 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1411382833.239:775): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2ede02d8d0 a1=80002 a2=0 a3=30 items=0 ppid=1 pid=21602 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c442,c886 key=(null)

Hash: qemu-system-x86,svirt_t,user_tmp_t,file,open

Version-Release number of selected component:
selinux-policy-3.13.1-82.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.1-301.mst.fc21.x86_64
type:           libreport
Comment 1 Daniel Walsh 2014-09-24 12:48:47 UTC 
I believe this is a livirt issue.  This content should have been relabeled?
Comment 2 Cole Robinson 2014-09-24 14:35:32 UTC 
Rich this is coming from libguestfs, known issue?
Comment 3 Richard W.M. Jones 2014-09-24 15:50:04 UTC 
It's not a known issue.  It is a libvirt labelling issue, I *think*.

I don't really understand what the description means.  'virsh' cannot
create new virtual machines ...  I don't understand where libguestfs
gets involved.

What command(s) did you type which caused this error?

What is the complete output of the following:

  libguestfs-test-tool
Comment 4 Alexander Bokovoy 2014-09-24 16:14:55 UTC 
I'm running

sudo qemu-img create -f qcow2 -b /home/virt/images/Fedora-Cloud-Base-20140915-21_Alpha.x86_64.qcow2 /home/virt/images/dc-f21.ipacloud.test.qcow2 16G

sudo virt-install --name dc-f21.ipacloud.test --ram 1536 --hvm --check-cpu --accelerate --vcpus 2 --connect=qemu:///system --noautoconsole --rng /dev/random --disk path=/home/virt/images/dc-f21.ipacloud.test.qcow2,size=16,bus=virtio --disk path=/home/virt/images/dc-f21.ipacloud.test-cidata.iso,device=cdrom --network network=default,mac=54:52:00:61:2a:a5 --import --force

and then 

  virsh --connect qemu:///system start dc-f21.ipacloud.test

Log for libguestfs-test-tool is being attached.
Comment 5 Alexander Bokovoy 2014-09-24 16:42:23 UTC 
Created attachment 940831 [details]
libguestfs-test-tool log

Output of libguestfs-test-tool is attached
Comment 6 Richard W.M. Jones 2014-09-24 17:26:28 UTC 
(In reply to Alexander Bokovoy from comment #5)
> Created attachment 940831 [details]
> libguestfs-test-tool log
> 
> Output of libguestfs-test-tool is attached

This is all fine - no errors.

I still don't see where the path /tmp/libguestfsXXXXXX/overlay1
can come from.  That *is* a path that is used by libguestfs for
temporary files.

Do you by any chance have virt-manager running at the same time?
That would run libguestfs against the new guest, roughly synchronous
with the guest being created, so that's a possible explanation.

If it turns out to be virt-manager, then there may be sufficient
information in ~/.cache/virt-manager/virt-manager.log and it would
be useful to attach this file.
Comment 7 Alexander Bokovoy 2014-09-25 07:12:39 UTC 
Yes, I do run virt-manager at the same time. I don't see anything suspicious in the log, just messages around the time I tear apart the machine before re-creating it. Sorry for localized messages, I run in a locale different from en_US. "Домен не найден: нет домена с UUID" means "domain not found: no domain with UUID".

[Ср, 24 сен 2014 19:00:53 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-edkau9fv9wdi8yx4 removed
[Ср, 24 сен 2014 19:01:53 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-5gr1xdokvml18zkl status=Работает added
[Ср, 24 сен 2014 19:01:56 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «b9206910-6bfc-428f-87f8-ed0a235cb8b3» (guestfs-5gr1xdokvml18zkl)
Domain might have disappeared, triggering connection tick
[Ср, 24 сен 2014 19:01:56 virt-manager 12330] ERROR (connection:1278) Tick for <vmmDomain object at 0x7f81149547d0 (virtManager+domain+vmmDomain at 0x2a9e800)> failed
Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/connection.py", line 1276, in _tick
    obj.tick(*args)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1894, in tick
    info = self._backend.info()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1166, in info
    if ret is None: raise libvirtError ('virDomainGetInfo() failed', dom=self)
libvirtError: Домен не найден: нет домена с UUID «b9206910-6bfc-428f-87f8-ed0a235cb8b3» (guestfs-5gr1xdokvml18zkl)
[Ср, 24 сен 2014 19:01:56 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-5gr1xdokvml18zkl removed
[Ср, 24 сен 2014 19:02:56 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-10opq2syxb9es2d0 status=Работает added
[Ср, 24 сен 2014 19:02:59 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «ef074f8a-4ac2-4db8-9f68-d8b4aa058a5e» (guestfs-10opq2syxb9es2d0)
Domain might have disappeared, triggering connection tick
[Ср, 24 сен 2014 19:02:59 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-10opq2syxb9es2d0 removed
[Ср, 24 сен 2014 19:03:59 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-0jwh88ymefr3nk0a status=Работает added
[Ср, 24 сен 2014 19:04:02 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «36570b96-b318-484e-a63c-71401579af24» (guestfs-0jwh88ymefr3nk0a)
Domain might have disappeared, triggering connection tick
[Ср, 24 сен 2014 19:04:02 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-0jwh88ymefr3nk0a removed
[Ср, 24 сен 2014 19:05:02 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-20aslsfjs3kpbk0o status=Работает added
[Ср, 24 сен 2014 19:05:06 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «9b5790be-c20e-4656-b9c8-da6862164a47» (guestfs-20aslsfjs3kpbk0o)
Domain might have disappeared, triggering connection tick
[Ср, 24 сен 2014 19:05:06 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-20aslsfjs3kpbk0o removed
[Ср, 24 сен 2014 19:06:04 virt-manager 12330] DEBUG (domain:1692) domain=dc-f21.ipacloud.test status changed to 5=Выключена
[Ср, 24 сен 2014 19:06:11 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «8f7ff507-0f91-4f7a-ba16-749a3acc2c82» (dc-f21.ipacloud.test)
Domain might have disappeared, triggering connection tick
[Ср, 24 сен 2014 19:06:11 virt-manager 12330] DEBUG (connection:1193) domain=dc-f21.ipacloud.test removed
Comment 8 Richard W.M. Jones 2014-09-28 19:50:56 UTC 
The following bug is similar-ish.  It may not be the same thing:
https://bugzilla.redhat.com/show_bug.cgi?id=1146477#c10
Comment 9 Miroslav Grepl 2015-05-18 08:01:05 UTC 
*** Bug 1221907 has been marked as a duplicate of this bug. ***
Comment 10 Dr. David Alan Gilbert 2015-05-20 09:47:50 UTC 
Description of problem:
Started a qemu instance via virt-manager in usermode
(gruft on #qemu also reported it starting it by hand on rawhide/fc23)

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.3-300.fc22.x86_64
type:           libreport
Comment 11 Dr. David Alan Gilbert 2015-05-20 09:58:29 UTC 
(Mine was I think an unrelated selinux issue with lttng) that got automerged to this.
Comment 12 Cole Robinson 2015-05-20 18:24:53 UTC 
For reference David's report is bug 1221945
Comment 13 Cole Robinson 2015-05-20 18:40:05 UTC 
Tried to reproduce this issue, with python-libguestfs and virt-manager running, then kicking off a virt-install similar to reported in comment #4, but I couldn't reproduce. This is with F22 packages though.

Alexander, are you still seeing this issue?
Comment 14 Alexander Bokovoy 2015-05-20 19:47:38 UTC 
I don't see the any AVC related to virt-manager/libguestfs anymore on Fedora 21.
Comment 15 Cole Robinson 2015-05-20 19:48:42 UTC 
Thanks, closing then. If anyone can still reproduce, please file a new bug report
Comment 16 misko.herko 2015-05-25 10:05:29 UTC 
Description of problem:
Start a VM with windows in gnome-boxes.

Version-Release number of selected component:
selinux-policy-3.13.1-126.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-300.fc22.x86_64
type:           libreport