Bug 609655

Summary: libvirt qemu:///session can't create socket on NFS homedir
Product: [Fedora] Fedora Reporter: Cole Robinson <crobinso>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: berrange
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-120.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-20 01:45:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cole Robinson 2010-06-30 19:00:24 UTC 
If using libvirt's qemu:///session, the libvirt daemon and all VMs are launched as the regular user, and the folder heirarchy typically in /var/lib/libvirt is stored under ~/.libvirt

If using NFS homedirs, and enabling the virt_use_nfs boolean, VMs still fail to launch:

bind(unix:/home/boston/crobinso/.libvirt/qemu/lib/livecd.monitor): Permission denied
chardev: opening backend "socket" failed

Audit messages:

type=AVC msg=audit(1277924371.406:36254): avc:  denied  { create } for  pid=11459 comm="qemu-kvm" name="livecd.monitor" scontext=system_u:system_r:svirt_t:s0:c217,c847 tcontext=system_u:object_r:nfs_t:s0:c217,c847 tclass=sock_file
type=SYSCALL msg=audit(1277924371.406:36254): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffb42ba6c0 a2=6e a3=712f747269766269 items=0 ppid=1 pid=11459 auid=10736 uid=10736 gid=10736 euid=10736 suid=10736 fsuid=10736 egid=10736 sgid=10736 fsgid=10736 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c217,c847 key=(null)

virt_use_nfs should probably be ammended to allow socket creation.
Comment 1 Cole Robinson 2010-06-30 19:08:27 UTC 
I'm seeing this on F12, but it's probably also relevant for F13+
Comment 2 Daniel Walsh 2010-07-12 21:02:33 UTC 
Add

	fs_manage_nfs_named_sockets(svirt_t)
and
	fs_manage_cifs_named_sockets(svirt_t)
Comment 3 Miroslav Grepl 2010-08-05 11:55:20 UTC 
Fixed in selinux-policy-3.6.32-120.fc12
Comment 4 Fedora Update System 2010-08-05 13:19:23 UTC 
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
Comment 5 Fedora Update System 2010-08-05 23:23:29 UTC 
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
Comment 6 Fedora Update System 2010-08-20 01:39:42 UTC 
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.