Bug 1400565

Summary: selinux-policy is preventing start of virtual machines
Product: [Fedora] Fedora Reporter: Jakub Jelen <jjelen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: dhgutteridge, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, robert.hancock, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-225.1.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-08 18:22:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2016-12-01 13:56:28 UTC 
Description of problem:
Start of the virtual machine fails

Version-Release number of selected component (if applicable):
systemd-231-10.fc25.x86_64
selinux-policy-3.13.1-225.fc25.noarch
virt-manager-1.4.0-4.fc25.noarch

How reproducible:
always

Steps to Reproduce:
1. Try to start virtual machine in virt-manager

Actual results:
Errors below, USER_AVCs

Expected results:
Running virtual machine

Additional info:
### Error from virt-manager:
Error starting domain: SELinux policy denies access.

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: SELinux policy denies access.

### AVCs:
----
time->Thu Dec  1 14:44:10 2016
type=USER_AVC msg=audit(1480599850.217:4718): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/machine-qemu\x2d4\x2dfedora26.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Dec  1 14:51:04 2016
type=USER_AVC msg=audit(1480600264.196:4790): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/transient/machine-qemu\x2d6\x2drhel6.8.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 1 David H. Gutteridge 2016-12-01 21:08:54 UTC 
I'm seeing the same issue. (I've reverted to selinux-policy-3.13.1-224.fc25.noarch.)
Comment 2 Robert Hancock 2016-12-05 16:00:31 UTC 
Saw the same regression. Had to roll back to selinux-policy-3.13.1-224.fc25.noarch. Not sure why this has been marked as fixed in 3.13.1-225.fc25 when that was the version that introduced the error.
Comment 3 Jakub Jelen 2016-12-05 16:08:07 UTC 
(In reply to Robert Hancock from comment #2)
> Saw the same regression. Had to roll back to
> selinux-policy-3.13.1-224.fc25.noarch. Not sure why this has been marked as
> fixed in 3.13.1-225.fc25 when that was the version that introduced the error.

Note the 225.1 in the "selinux-policy-3.13.1-225.1.fc25"
Comment 4 Fedora Update System 2016-12-05 17:01:37 UTC 
selinux-policy-3.13.1-225.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972
Comment 5 David H. Gutteridge 2016-12-05 20:06:45 UTC 
Confirming selinux-policy-3.13.1-225.1.fc25 fixes the issue for me.
Comment 6 Fedora Update System 2016-12-07 02:25:14 UTC 
selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972
Comment 7 Fedora Update System 2016-12-08 18:22:16 UTC 
selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.