Bug 1369199

Summary: VM can't be started because of selinux
Product: [Fedora] Fedora Reporter: jniederm
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 24CC: agedosier, berrange, clalancette, dominick.grift, dwalsh, itamar, jan.public, jdenemar, jtfas90, laine, libvirt-maint, lvrabec, mattias.ellert, mgrepl, pkliczew, plautrba, vashirov, veillard, virt-maint
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-23 11:04:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
update info.txt none

Description jniederm 2016-08-22 16:10:42 UTC 
Created attachment 1192967 [details]
update info.txt

Description of problem:
VM's can't be started neither form virt-manager gui nor from virsh because of selinux. The problem appeared after update and reboot (see attachments for update description).

Version-Release number of selected component (if applicable):
libvirt-daemon.x86_64                     1.3.3.2-1.fc24                @updates
selinux-policy.noarch                     3.13.1-191.12.fc24            @updates
selinux-policy-targeted.noarch            3.13.1-191.12.fc24            @updates
systemd-container.x86_64                  229-13.fc24                   @updates
virt-manager.noarch                       1.4.0-3.fc24                  @updates

How reproducible:
100%

Steps to Reproduce:
1. Make sure there is working vm in virt-manager
2. Start the vm in virt-manager

Actual results:
Error popup "Selinux policy denies access" with python stacktrace:
Error starting domain: SELinux policy denies access.

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: SELinux policy denies access.



Expected results:
VM started

Additional info:
Comment 1 jniederm 2016-08-22 16:14:32 UTC 
from /var/log/audit/audit.log:

type=USER_AVC msg=audit(1471881821.995:560): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 2 Jiri Denemark 2016-08-22 18:40:36 UTC 
*** Bug 1368959 has been marked as a duplicate of this bug. ***
Comment 3 Jiri Denemark 2016-08-22 18:45:09 UTC 
Apparently, things broke after selinux-policy had been updated, libvirt was not updated at all.
Comment 4 Daniel Walsh 2016-08-23 09:20:57 UTC 
Try turning off the dontaudit rules

semodule -DB

And try again. Then check the avc's to see if there is anything related to virt or qemu.

Turn the dontaudit rules back on with:

semodule -B
Comment 5 Jan Vlug 2016-08-23 10:01:50 UTC 
Duplicate of bug 1368745?
Comment 6 Daniel Walsh 2016-08-23 11:04:01 UTC 

*** This bug has been marked as a duplicate of bug 1368745 ***