Bug 741531

Summary: SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the dossier /home/misc/.libvirt/qemu/lib.
Product: [Fedora] Fedora Reporter: Michael Scherer <misc>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 15CC: berrange, clalancette, crobinso, dominick.grift, dougsland, dwalsh, itamar, jforbes, laine, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:29f9b79ca24d9a9b704379266be0da7dea12681cf3f672e1471385f0f14c0813
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-06 20:35:18 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Qemu avc log none

Description Michael Scherer 2011-09-27 04:06:27 EDT
SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the dossier /home/misc/.libvirt/qemu/lib.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/home/misc/.libvirt/qemu/lib default label should be virt_home_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home/misc/.libvirt/qemu/lib

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that qemu-kvm should be allowed write access on the lib directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c370,c638
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/misc/.libvirt/qemu/lib [ dir ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           qemu-system-x86-0.14.0-7.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    mar. 27 sept. 2011 10:04:46 CEST
Last Seen                     mar. 27 sept. 2011 10:04:46 CEST
Local ID                      d901bdb1-4d27-4507-8021-97f20a53c4e2

Raw Audit Messages
type=AVC msg=audit(1317110686.336:134): avc:  denied  { write } for  pid=11767 comm="qemu-kvm" name="lib" dev=dm-3 ino=3801899 scontext=system_u:system_r:svirt_t:s0:c370,c638 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1317110686.336:134): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7fff3524b300 a2=6e a3=6273632f62696c2f items=0 ppid=1 pid=11767 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c370,c638 key=(null)

Hash: qemu-kvm,svirt_t,user_home_t,dir,write

audit2allow

#============= svirt_t ==============
#!!!! The source type 'svirt_t' can write to a 'dir' of the following types:
# qemu_var_run_t, var_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, virt_cache_t, var_run_t, svirt_image_t, svirt_tmpfs_t, dosfs_t

allow svirt_t user_home_t:dir write;

audit2allow -R

#============= svirt_t ==============
#!!!! The source type 'svirt_t' can write to a 'dir' of the following types:
# qemu_var_run_t, var_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, virt_cache_t, var_run_t, svirt_image_t, svirt_tmpfs_t, dosfs_t

allow svirt_t user_home_t:dir write;
Comment 1 Michael Scherer 2011-09-27 04:10:33 EDT
to trigger the error, just run as a user :

$ virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks

the iso should not matter much.

Sealert tell me to restore context, which I do, but the error is still here. And the installation do not work.

~ $ ls -lZ ~/.libvirt/qemu/   
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 cache
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 dump
drwxrwxr-x. misc misc unconfined_u:object_r:virt_home_t:s0 lib
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 log
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 run
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 save
drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 snapshot
Comment 2 Dominick Grift 2011-09-27 04:28:09 EDT
Seems kvm-qemu wants to create or delete some object in ~/.libvirt/qemu/lib but SELinux policy currently does not support that.

Could you test and reproduce this in permissive mode and enclose all the AVC denials from /var/log/audit/audit.log that occurred since the test?

This will give us an idea as to what kind of objects it is trying to create or delete, plus we will be able to determine what else it needs for this to work (and if it works at all)

But first restore the context of the whole ~/.libvirt directory ( restorecon -R -v ~/.libvirt )
Comment 3 Miroslav Grepl 2011-09-27 09:06:22 EDT
AFAIK, we had the same issue on RHEL6. Looking for a bug.
Comment 4 Michael Scherer 2011-10-01 13:29:41 EDT
Created attachment 525878 [details]
Qemu avc log

Here is the log.
Comment 5 Miroslav Grepl 2011-10-03 04:02:52 EDT
Actually we know where the problem is. We have a fix in RHEL6 but we need to investigate it in Fedora.

The problem is libvirt is running as unconfined_t in this case which is expected.

Michael, 
if you run

# runcon -r system_r -t initrc_t -- runcon -t virtd_t -- virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks

this should work.
Comment 6 Miroslav Grepl 2011-10-03 04:04:05 EDT
https://bugzilla.redhat.com/show_bug.cgi?id=676372
Comment 7 Fedora Admin XMLRPC Client 2011-11-30 15:04:49 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2011-11-30 15:05:06 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora Admin XMLRPC Client 2011-11-30 15:08:54 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Fedora Admin XMLRPC Client 2011-11-30 15:09:07 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Cole Robinson 2012-06-06 20:35:18 EDT
F15 is end of life real soon, so closing as WONTFIX. If anyone can still reproduce with a Fedora 16 or Fedora 17, please reopen.