Bug 741531
Summary: | SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the dossier /home/misc/.libvirt/qemu/lib. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael S. <misc> | ||||
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 15 | CC: | berrange, clalancette, crobinso, dominick.grift, dougsland, dwalsh, itamar, jforbes, laine, mgrepl, veillard, virt-maint | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | setroubleshoot_trace_hash:29f9b79ca24d9a9b704379266be0da7dea12681cf3f672e1471385f0f14c0813 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-06-07 00:35:18 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Michael S.
2011-09-27 08:06:27 UTC
to trigger the error, just run as a user : $ virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks the iso should not matter much. Sealert tell me to restore context, which I do, but the error is still here. And the installation do not work. ~ $ ls -lZ ~/.libvirt/qemu/ drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 cache drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 dump drwxrwxr-x. misc misc unconfined_u:object_r:virt_home_t:s0 lib drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 log drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 run drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 save drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 snapshot Seems kvm-qemu wants to create or delete some object in ~/.libvirt/qemu/lib but SELinux policy currently does not support that. Could you test and reproduce this in permissive mode and enclose all the AVC denials from /var/log/audit/audit.log that occurred since the test? This will give us an idea as to what kind of objects it is trying to create or delete, plus we will be able to determine what else it needs for this to work (and if it works at all) But first restore the context of the whole ~/.libvirt directory ( restorecon -R -v ~/.libvirt ) AFAIK, we had the same issue on RHEL6. Looking for a bug. Created attachment 525878 [details]
Qemu avc log
Here is the log.
Actually we know where the problem is. We have a fix in RHEL6 but we need to investigate it in Fedora. The problem is libvirt is running as unconfined_t in this case which is expected. Michael, if you run # runcon -r system_r -t initrc_t -- runcon -t virtd_t -- virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks this should work. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. F15 is end of life real soon, so closing as WONTFIX. If anyone can still reproduce with a Fedora 16 or Fedora 17, please reopen. |