Bug 1211272

Summary: libvirt cannot create guests: Failed to bind socket: Permission denied
Product: Red Hat Enterprise Linux 7 Reporter: Richard W.M. Jones <rjones>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: rbalakri
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-13 13:35:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 910269    
Attachments:
Description Flags
Full log from libguestfs-test-tool none

Description Richard W.M. Jones 2015-04-13 13:30:33 UTC 
Created attachment 1013965 [details]
Full log from libguestfs-test-tool

Description of problem:

Run libguestfs-test-tool in RHEL 7.1:

[...]

libguestfs: [00233ms] launch libvirt guest
libguestfs: error: could not create appliance through libvirt.

Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct

Original error from libvirt: internal error: process exited while connecting to monitor: 2015-04-13T13:26:26.646024Z qemu-kvm: -chardev socket,id=charmonitor,path=/home/rjones/.config/libvirt/qemu/lib/guestfs-x1ifcqgcqf6qh3q2.monitor,server,nowait: Failed to bind socket: Permission denied
2015-04-13T13:26:26.646144Z qemu-kvm: -chardev socket,id=charmonitor,path=/home/rjones/.config/libvirt/qemu/lib/guestfs-x1ifcqgcqf6qh3q2.monitor,server,nowait: chardev: opening backend "socket" failed
 [code=1 domain=10]
libguestfs-test-tool: failed to launch appliance

The full output is attached.

Version-Release number of selected component (if applicable):

libvirt-client-1.2.8-16.el7.x86_64
libvirt-daemon-1.2.8-16.el7.x86_64
libvirt-daemon-driver-interface-1.2.8-16.el7.x86_64
libvirt-daemon-driver-network-1.2.8-16.el7.x86_64
libvirt-daemon-driver-nodedev-1.2.8-16.el7.x86_64
libvirt-daemon-driver-nwfilter-1.2.8-16.el7.x86_64
libvirt-daemon-driver-qemu-1.2.8-16.el7.x86_64
libvirt-daemon-driver-secret-1.2.8-16.el7.x86_64
libvirt-daemon-driver-storage-1.2.8-16.el7.x86_64
libvirt-daemon-kvm-1.2.8-16.el7.x86_64
libvirt-devel-1.2.8-16.el7.x86_64
libvirt-docs-1.2.8-16.el7.x86_64
ipxe-roms-qemu-20130517-6.gitc4bce43.el7.noarch
libvirt-daemon-driver-qemu-1.2.8-16.el7.x86_64
qemu-img-1.5.3-86.el7.x86_64
qemu-kvm-1.5.3-86.el7.x86_64
qemu-kvm-common-1.5.3-86.el7.x86_64

How reproducible:

100%

Steps to Reproduce:
1. Install RHEL 7.1.
2. Run libguestfs-test-tool, virt-builder, etc.
Comment 1 Richard W.M. Jones 2015-04-13 13:35:31 UTC 
It turns out this is caused by NFS.  The fix is:

# setsebool -P virt_use_nfs on

---

time->Mon Apr 13 09:32:34 2015
type=SYSCALL msg=audit(1428931954.098:1544): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7ffff02d5930 a2=6e a3=46 items=0 ppid=1 pid=24979 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=45 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c608,c754 key=(null)
type=AVC msg=audit(1428931954.098:1544): avc:  denied  { write } for  pid=24979 comm="qemu-kvm" name="lib" dev="0:36" ino=4195019 scontext=unconfined_u:unconfined_r:svirt_t:s0:c608,c754 tcontext=system_u:object_r:nfs_t:s0 tclass=dir