Bug 523993

Summary: KVM Live migration failure with SELinux Enforcing
Product: [Fedora] Fedora Reporter: Chris Lalancette <clalance>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: rawhideCC: dwalsh, jkubin, markmc, mgrepl, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-17 15:48:27 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 498968    

Description Chris Lalancette 2009-09-17 10:31:52 EDT
Description of problem:
I'm trying to do live migration testing with Fedora 12 as part of the Virtualization test day.  However, when I have both the source and destination machine of the migration in Enforcing mode, the migration fails to complete.  Just for reference, the idea behind live migration in libvirt with qemu is:

1)  Run a Prepare step on the destination of the migration.  This chooses a port between 49152 and 49216, and starts up the qemu container on the destination side listening to this port.

2)  Run a Perform step on the source side of the migration.  This actually performs the migration.

3)  Run a Finish step on the destination side of the migration.  In the case of failure, it cleans up the qemu container.  In the case of success, it unpauses the guest and sets it running.

What I'm seeing is that the first step, Prepare, is completing successfully.  However, the Perform step seems to be hanging up, and I'm seeing this in /var/log/audit/audit.log:

type=AVC msg=audit(1253211844.774:142): avc:  denied  { name_connect } for  pid=23056 comm="qemu-kvm" dest=49152 scontext=system_u:system_r:svirt_t:s0:c405,c410 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1253211844.774:142): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=7fffea3b38c0 a2=10 a3=7fffea3b3650 items=0 ppid=1 pid=23056 auid=0 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=3 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c405,c410 key=(null)
Comment 1 Daniel Walsh 2009-09-17 15:48:27 EDT
Fixed in selinux-policy-3.6.32-2.fc12.noarch