Bug 515547

Summary: libvirt fails to start guest - Failed to set security label
Product: [Fedora] Fedora Reporter: Mark McLoughlin <markmc>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: berrange, clalance, crobinso, dwalsh, eparis, itamar, jkubin, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-05 21:00:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 498968    

Description Mark McLoughlin 2009-08-04 17:49:29 UTC 
Not sure what's changed here, but with libvirt-0.7.0 snapshot from rawhide, I'm seeing this:

  error: Failed to start domain rawhide-2009-05-12
  error: internal error unable to start guest: libvir: Security Labeling error : 
  SELinuxSetFilecon: unable to set security context 
  'system_u:object_r:svirt_image_t:s0:c189,c564' on /var/lib/libvirt/images
  /rawhide.img: No such file or directory.
  libvir: QEMU error : internal error Failed to set security label

  type=SYSCALL msg=audit(1249407382.238:173): arch=c000003e syscall=188 
  success=no exit=-13 a0=cdbfa0 a1=7f9274a01b19 a2=7f92540cd8f0 a3=2d items=0 
  ppid=1689 pid=16179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
  sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr
  /sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(1249407382.238:173): avc:  denied  { associate } for  
  pid=16179 comm="libvirtd" name="rawhide.img" dev=dm-0 ino=3466671 
  scontext=system_u:object_r:svirt_image_t:s0:c189,c564 
  tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

Similar error when trying to kick off a new install with virt-install
Comment 1 Mark McLoughlin 2009-08-05 16:11:30 UTC 
Here's what I'm seeing in strace:

  setxattr("/var/lib/libvirt/images/rawhide.img", "security.selinux", 
  "system_u:object_r:svirt_image_t:s0:c563,c596", 45, 0) = -1 EACCES (Permission 
  denied)
  getxattr("/var/lib/libvirt/images/rawhide.img", "security.selinux", 
           "system_u:object_r:virt_image_t:s0", 255) = 34
  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 3
  connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) 
          = -1 ENOENT (No such file or directory)

i.e. setxattr() is returning EACCES, the ENOENT comes later
Comment 2 Eric Paris 2009-08-05 18:03:46 UTC 
What kind of fs is /var/lib/libvirt/images?
Comment 3 Mark McLoughlin 2009-08-05 20:25:17 UTC 
It's just my ext3 root fs on an LVM volume

danpb and I discussed this briefly earlier and we can't see what changed in libvirt to cause this; could it be a policy regression?
Comment 4 Daniel Walsh 2009-08-05 21:00:54 UTC 
Fixed in selinux-policy-3.6.26-6.fc12

Lost an attribute do to update to upstream.
Comment 5 Mark McLoughlin 2009-08-06 09:30:24 UTC 
thanks, that fixed it