Bug 1285459

Summary: SELinux is preventing qemu-system-x86 from read access on new VM
Product: [Fedora] Fedora Reporter: Patrick Laimbock <patrick>
Component: virt-managerAssignee: Cole Robinson <crobinso>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 23CC: berrange, crobinso, dominick.grift, dwalsh, lvrabec, mgrepl, patrick, plautrba, tim, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-30 09:27:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick Laimbock 2015-11-25 16:14:08 UTC 
Description of problem:
When creating a new VM with virt-manager, starting the VM hangs with a black screen because SELinux is preventing qemu-system-x86 from read access to the new VM possible because of a wrong "svirt_image_t" label.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-155.fc23.noarch
selinux-policy-targeted-3.13.1-155.fc23.noarch

virt-manager-1.2.1-3.fc23.noarch
virt-manager-common-1.2.1-3.fc23.noarch

ipxe-roms-qemu-20150407-3.gitdc795b9f.fc23.noarch
libvirt-daemon-driver-qemu-1.2.18.1-2.fc23.x86_64
libvirt-daemon-qemu-1.2.18.1-2.fc23.x86_64
qemu-2.4.1-1.fc23.x86_64
qemu-common-2.4.1-1.fc23.x86_64
qemu-guest-agent-2.4.1-1.fc23.x86_64
qemu-img-2.4.1-1.fc23.x86_64
qemu-kvm-2.4.1-1.fc23.x86_64


How reproducible:
Open virt-manager, select File -> New Virtual Machine
Select PXE boot with defaults for the rest and when installation starts a new VM window pops up which is black. An SELinux notification pops up withthese details:

SELinux is preventing qemu-system-x86 from read access on the file zzz.qcow2.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed read access on the zzz.qcow2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c41,c601
Target Context                system_u:object_r:svirt_image_t:s0:c205,c554
Target Objects                zzz.qcow2 [ file ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          plato.just.local
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     plato.just.local
Platform                      Linux plato.just.local 4.2.6-300.fc23.x86_64 #1
                              SMP Tue Nov 10 19:32:21 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-11-25 15:52:58 CET
Last Seen                     2015-11-25 15:52:58 CET
Local ID                      9e3ebca0-5704-43ca-9afd-46ed26f93906

Raw Audit Messages
type=AVC msg=audit(1448463178.162:4595): avc:  denied  { read } for  pid=5302 comm="qemu-system-x86" name="zzz.qcow2" dev="md127" ino=36700175 scontext=unconfined_u:unconfined_r:svirt_t:s0:c41,c601 tcontext=system_u:object_r:svirt_image_t:s0:c205,c554 tclass=file permissive=0

Hash: qemu-system-x86,svirt_t,svirt_image_t,file,read


Steps to Reproduce:
1. open virt-manager
2. create a new VM with PXE boot and defaults for the rest
3. on installation get a VM window that's black and stays like that forever

Actual results:
Failure to create a new VM

Expected results:
Successful creation of VM

Additional info:
The box running F23 x86_64 was installed from the Live iso image and subsequently updated. If you have any questions please let me know. Thanks!
Comment 1 Lukas Vrabec 2016-03-16 14:54:11 UTC 
virt-manager folks, 
Do we know whats going on here? 

Thank you.
Comment 2 Cole Robinson 2016-03-16 22:06:36 UTC 
Where is zzz.qcow2 stored?
Is that file being used by other VMs as well?
Comment 3 Patrick Laimbock 2016-03-30 09:27:40 UTC 
The test box where this occurred was unfortunately repurposed. The issue could not be reproduced on a fresh F23 box with latest updates. Closing.