Bug 729365

Summary: qemu should be allowed to connect to libguestfs socket
Product: Red Hat Enterprise Linux 6 Reporter: Richard W.M. Jones <rjones>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: apevec, dwalsh, mfojtik, mmalik, shavivi
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: selinux-policy-3.7.19-107.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:12:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Richard W.M. Jones 2011-08-09 17:13:27 UTC
Description of problem:

I cannot reproduce this on standard RHEL 6.1, but I have a
reliable report that it happens in RHEV-M 3.0 (beta?)

libguestfs fails when SELinux is enforcing (but works when
SELinux is permissive or disabled).  The error message from
qemu is:

  connect(unix:/tmp/libguestfsUQHOQD/sock): Permission denied
  chardev: opening backend "socket" failed

Version-Release number of selected component (if applicable):

libguestfs 1.7.17-17.el6
qemu 0.12.1-2.160.el6
kernel 2.6.32-131.0.15

How reproducible:


Additional info:

I have asked Michal Fojtik who observed this error to follow
up with more details.

Comment 2 Richard W.M. Jones 2011-08-09 19:01:53 UTC
Adding Alan to CC.

Comment 3 Miroslav Grepl 2011-08-10 06:56:03 UTC
What does

# getsebool allow_unconfined_qemu_transition

I believe the following command will fix the issue

# setsebool -P allow_unconfined_qemu_transition 0

Comment 4 Richard W.M. Jones 2011-08-10 09:44:54 UTC
Set needinfo of mfojtik ...

Comment 5 Michal Fojtik 2011-08-10 11:46:52 UTC
Yes, I can confirm that setting the bool variable above fix this problem. Thanks!

Comment 6 Richard W.M. Jones 2011-08-10 11:56:09 UTC
This IS a bug.  Normal operation of libguestfs should
not involve having to set SELinux booleans.

Comment 7 Daniel Walsh 2011-08-10 16:06:55 UTC
Miroslav, lets pull the transition code totally out like we have in F16.  If you want to run confined virtual machines you need to run svirt_t launched by libvirt otherwise you should stay in unconfined_t.

Comment 8 Miroslav Grepl 2011-08-10 16:28:21 UTC
Fixed in selinux-policy-3.7.19-107.el6

Comment 9 Michal Fojtik 2011-08-12 09:56:52 UTC
Well I need to 'reopen' this bug once again. I recently got the same error with the boolean enabled. I didn't upgrade/update anything on my system.


[root@mfojtik-2 ~]# getsebool allow_unconfined_qemu_transition
allow_unconfined_qemu_transition --> off

[root@mfojtik-2 ~]# getenforce 

Relevant part of the vdsm.log:

Thread-194852::DEBUG::2011-08-12 11:40:39,126::utils::573::Storage.Misc.excCmd::(execCmd) FAILED: <err> = 'find: failed to restore initial working directory: Permission denied\nconnect(unix:/tmp/libguestfssNcPZC/sock): Permission denied\nchardev: opening backend "socket" failed\n/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject:61: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6\n  sys.stderr.write(\'fileinject: [general error in inject_file]: %s\\n\' % e.message)\nfileinject: [general error in inject_file]: child process died unexpectedly\nfileinject: path not exists: /\nfileinject: [unexpected error]: Traceback (most recent call last):\n  File "/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject", line 93, in <module>\n    sys.exit(2)\nSystemExit: 2\n\n'; <rc> = 2
Thread-194852::INFO::2011-08-12 11:40:39,126::hooks::51::root::(_runHooksDir) find: failed to restore initial working directory: Permission denied
connect(unix:/tmp/libguestfssNcPZC/sock): Permission denied
chardev: opening backend "socket" failed

Comment 10 Daniel Walsh 2011-08-12 10:44:53 UTC
If you had updated to the policy

The boolean will not even exists.

Comment 11 Richard W.M. Jones 2011-08-12 11:42:33 UTC
I have asked Michal to open a different bug, since this
appears to be happening for some other reason and needs

Comment 13 Miroslav Grepl 2011-08-22 08:52:23 UTC
*** Bug 730662 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2011-12-06 10:12:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.