Bug 729365
| Summary: | qemu should be allowed to connect to libguestfs socket | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Richard W.M. Jones <rjones> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | apevec, dwalsh, mfojtik, mmalik, shavivi |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-107.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 10:12:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Richard W.M. Jones
2011-08-09 17:13:27 UTC
Adding Alan to CC. What does # getsebool allow_unconfined_qemu_transition I believe the following command will fix the issue # setsebool -P allow_unconfined_qemu_transition 0 Set needinfo of mfojtik ... Yes, I can confirm that setting the bool variable above fix this problem. Thanks! This IS a bug. Normal operation of libguestfs should not involve having to set SELinux booleans. Miroslav, lets pull the transition code totally out like we have in F16. If you want to run confined virtual machines you need to run svirt_t launched by libvirt otherwise you should stay in unconfined_t. Fixed in selinux-policy-3.7.19-107.el6 Well I need to 'reopen' this bug once again. I recently got the same error with the boolean enabled. I didn't upgrade/update anything on my system. Components: [root@mfojtik-2 ~]# getsebool allow_unconfined_qemu_transition allow_unconfined_qemu_transition --> off [root@mfojtik-2 ~]# getenforce Permissive Relevant part of the vdsm.log: Thread-194852::DEBUG::2011-08-12 11:40:39,126::utils::573::Storage.Misc.excCmd::(execCmd) FAILED: <err> = 'find: failed to restore initial working directory: Permission denied\nconnect(unix:/tmp/libguestfssNcPZC/sock): Permission denied\nchardev: opening backend "socket" failed\n/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject:61: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6\n sys.stderr.write(\'fileinject: [general error in inject_file]: %s\\n\' % e.message)\nfileinject: [general error in inject_file]: child process died unexpectedly\nfileinject: path not exists: /\nfileinject: [unexpected error]: Traceback (most recent call last):\n File "/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject", line 93, in <module>\n sys.exit(2)\nSystemExit: 2\n\n'; <rc> = 2 Thread-194852::INFO::2011-08-12 11:40:39,126::hooks::51::root::(_runHooksDir) find: failed to restore initial working directory: Permission denied connect(unix:/tmp/libguestfssNcPZC/sock): Permission denied chardev: opening backend "socket" failed If you had updated to the policy selinux-policy-3.7.19-107.el6 The boolean will not even exists. I have asked Michal to open a different bug, since this appears to be happening for some other reason and needs investigation. *** Bug 730662 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |