Bug 749172

Summary:

In Xen, xend cannot find disk image that exists

Product:

[Fedora] Fedora

Reporter:

John D. Ramsdell <ramsdell>

Component:

selinux-policy-targeted

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED WONTFIX

QA Contact:

Ben Levenson <benl>

Severity:

high

Docs Contact:

Priority:

unspecified

Version:

CC:

ace, berrange, dave, dwalsh, jforbes, ketuzsezr, kraxel, m.a.young, pasik, virt-maint, xen-maint

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-02-14 02:00:12 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Attachments:

Description	Flags
Output from ausearch -m avc -ts recent	none
Output of ausearch -m avc -ts recent run today	none
Output of ausearch -m avc -ts recent run today	none

Description John D. Ramsdell 2011-10-26 12:03:10 UTC

Description of problem:

I booted using "Linux with Xen 4.1 and Linux
3.1.0-0.rc8.git0.1.fc16.x86_64" and then in an attempt to create a
user domain virtual machine based on a local ISO image file, I started
virt-manager (Virtual Machine Manager 0.9.0).  After typing my
password, I noticed a little pop up that said something about some
program crashing, but I could not read the message before it
disappeared.  I then tried to create a new virtual machine called
couch, but when I tried to the finish the process, I received this
message:

Unable to complete install: 'POST operation failed: xend_post: error from xen daemon: (xend.err 'Error creating domain: Disk image does not exist: /var/lib/libvirt/images/couch.img')'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 44, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/create.py", line 1899, in do_install
    guest.start_install(False, meter=meter)
  File "/usr/lib/python2.7/site-packages/virtinst/Guest.py", line

When I navigate the this file's location as root, one finds that file.


Version-Release number of selected component (if applicable):

Xen 4.1.1


How reproducible:

Create a virtual machine with virt-machine

Steps to Reproduce:
1.  Click on create VM button
2.  Follow instructions
3.
  
Actual results:

See above output.

Expected results:

A running virtual machine

Additional info:

Comment 1 John D. Ramsdell 2011-10-26 20:19:40 UTC

I did not answer two of the canned questions correctly.  Let me try again.

How reproducible:

The problem occurs every time I try to create a virtual machine. 

Steps to Reproduce:
1.  Start virt-manager
2.  Click on create VM button
3.  Follow instructions for installing the OS from local install media

Finally, the evidence that image exists:

$ sudo ls -l /var/lib/libvirt/images/
[sudo] password for ramsdell: 
total 8388612
-rw-------. 1 root root 8589934592 Oct 18 07:19 couch.img
$

Comment 2 Michael Young 2011-10-26 21:19:31 UTC

My first guess is that selinux is getting in the way. You can stop selinux getting in the way by running setenforce 0 beforehand.
It is probably also worth making sure you have the latest selinux-policy-targeted package, as some libvirt/xen fixes went in relatively recently.

Comment 3 John D. Ramsdell 2011-10-27 15:24:24 UTC

(In reply to comment #2)
> My first guess is that selinux is getting in the way.

You first guess is correct.

> It is probably also worth making sure you have the latest
> selinux-policy-targeted package, as some libvirt/xen fixes went in relatively
> recently.

Yum update does attempt to update my selinux policy, but the update dies with an error concerning qemu-common.

--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:3.1.0-0.rc6.git0.3.fc16 will be erased
---> Package kernel-devel.x86_64 0:3.1.0-0.rc6.git0.3.fc16 will be erased
--> Finished Dependency Resolution
Error: Protected multilib versions: 2:qemu-common-0.15.1-1.fc16.x86_64 != 2:qemu-common-0.15.0-5.fc16.i686
$

Comment 4 John D. Ramsdell 2011-10-27 19:22:14 UTC

I performed the update after removing the offending package, put selinux back into enforcing mode, and rebooted into the new hypervisor and kernel.  An attempt to create a new virtual machine failed with the same error listed above, so the new policy that was installed does not fix this problem.

Comment 5 Michael Young 2011-10-28 21:05:05 UTC

The next thing to do is to work out what selinux is blocking. If you retest it (after setenforce 0) what does
ausearch -m avc -ts recent
say?

Comment 6 John D. Ramsdell 2011-10-28 21:57:31 UTC

(In reply to comment #5)
> The next thing to do is to work out what selinux is blocking. If you retest it
> (after setenforce 0) what does
> ausearch -m avc -ts recent
> say?

I cannot get to the machine on which I run Xen for a week.  I'll run ausearch as soon as I am able and get back to you.

Comment 7 Dave Miller 2011-10-29 15:28:10 UTC

Chiming in since I just ran into the same problem and the "setenforce 0" solution worked:

time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.176:370): arch=c000003e syscall=4 success=yes exit=0 a0=7f703002b850 a1=7f70517f6640 a2=7f70517f6640 a3=2d302e362d534f74 items=0 ppid=1 pid=19562 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xend" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1319900996.176:370): avc:  denied  { getattr } for  pid=19562 comm="xend" path="/home/dave/noBackup/ISOs/CentOS-6.0-x86_64-bin-DVD1.iso" dev=dm-2 ino=24248407 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=file
type=AVC msg=audit(1319900996.176:370): avc:  denied  { search } for  pid=19562 comm="xend" name="noBackup" dev=dm-2 ino=24248405 scontext=system_u:system_r:xend_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.176:369): arch=c000003e syscall=4 success=yes exit=0 a0=7f703002b7f0 a1=7f70517f6640 a2=7f70517f6640 a3=6d692e746e65696c items=0 ppid=1 pid=19562 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xend" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1319900996.176:369): avc:  denied  { getattr } for  pid=19562 comm="xend" path="/var/lib/libvirt/images/c6xclient.img" dev=dm-1 ino=262362 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1319900996.176:369): avc:  denied  { search } for  pid=19562 comm="xend" name="images" dev=dm-1 ino=268913 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.461:371): arch=c000003e syscall=2 success=yes exit=5 a0=5006a5 a1=2 a2=7fff6c61c817 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.461:371): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="tun" dev=devtmpfs ino=11463 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319900996.461:371): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="tun" dev=devtmpfs ino=11463 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.461:372): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=400454ca a2=7fff6c61c850 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.461:372): avc:  denied  { create } for  pid=19576 comm="qemu-dm" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=tun_socket
type=AVC msg=audit(1319900996.461:372): avc:  denied  { net_admin } for  pid=19576 comm="qemu-dm" capability=12  scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=capability
type=AVC msg=audit(1319900996.461:372): avc:  denied  { ioctl } for  pid=19576 comm="qemu-dm" path="/dev/net/tun" dev=devtmpfs ino=11463 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.463:373): arch=c000003e syscall=59 success=yes exit=0 a0=7fff6c61bb90 a1=7fff6c61b6f0 a2=7fff6c61cfd0 a3=7f83c4464a10 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.463:373): avc:  denied  { read open } for  pid=19628 comm="qemu-dm" name="bash" dev=dm-1 ino=1839179 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { execute } for  pid=19628 comm="qemu-dm" name="bash" dev=dm-1 ino=1839179 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { read } for  pid=19628 comm="qemu-dm" name="sh" dev=dm-1 ino=1836061 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { execute_no_trans } for  pid=19628 comm="qemu-dm" path="/etc/xen/scripts/qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { read open } for  pid=19628 comm="qemu-dm" name="qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { execute } for  pid=19628 comm="qemu-dm" name="qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.524:374): arch=c000003e syscall=2 success=yes exit=3 a0=3fdbf7238f a1=0 a2=1b6 a3=2000 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.524:374): avc:  denied  { open } for  pid=19628 comm="qemu-ifup" name="meminfo" dev=proc ino=4026532208 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1319900996.524:374): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="meminfo" dev=proc ino=4026532208 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.524:375): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff35574ff0 a2=7fff35574ff0 a3=2000 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.524:375): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/proc/meminfo" dev=proc ino=4026532208 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.525:376): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff35577328 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.525:376): avc:  denied  { ioctl } for  pid=19628 comm="qemu-ifup" path="/etc/xen/scripts/qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.525:377): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fff355772d0 a2=7fff355772d0 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.525:377): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/etc/xen/scripts/qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.526:378): arch=c000003e syscall=4 success=yes exit=0 a0=10542a0 a1=7fff35576d40 a2=7fff35576d40 a3=8 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.526:378): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="virbr0" dev=sysfs ino=18937 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.527:379): arch=c000003e syscall=4 success=yes exit=0 a0=10547d0 a1=7fff35577010 a2=7fff35577010 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.527:379): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/sbin/ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.527:380): arch=c000003e syscall=21 success=yes exit=0 a0=10547d0 a1=1 a2=0 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.527:380): avc:  denied  { execute } for  pid=19628 comm="qemu-ifup" name="ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.527:381): arch=c000003e syscall=21 success=yes exit=0 a0=10547d0 a1=4 a2=0 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.527:381): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.528:382): arch=c000003e syscall=59 success=yes exit=0 a0=10547d0 a1=1052f30 a2=10557c0 a3=8 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.528:382): avc:  denied  { execute_no_trans } for  pid=19655 comm="qemu-ifup" path="/sbin/ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.528:382): avc:  denied  { open } for  pid=19655 comm="qemu-ifup" name="ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.529:383): arch=c000003e syscall=21 success=yes exit=0 a0=40d33e a1=4 a2=0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.529:383): avc:  denied  { read } for  pid=19655 comm="ifconfig" name="unix" dev=proc ino=4026532181 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.529:384): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=2 a2=0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.529:384): avc:  denied  { create } for  pid=19655 comm="ifconfig" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=unix_dgram_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.529:385): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=2 a2=0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.529:385): avc:  denied  { create } for  pid=19655 comm="ifconfig" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=udp_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.530:386): arch=c000003e syscall=21 success=no exit=-2 a0=40c3b8 a1=4 a2=2 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.530:386): avc:  denied  { search } for  pid=19655 comm="ifconfig" name="net" dev=proc ino=11501 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.530:387): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=8916 a2=7fff1d2a0fe0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.530:387): avc:  denied  { ioctl } for  pid=19655 comm="ifconfig" path="socket:[220704]" dev=sockfs ino=220704 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=udp_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.532:388): arch=c000003e syscall=4 success=yes exit=0 a0=10548f0 a1=7fff35576e40 a2=7fff35576e40 a3=3fdbe85a00 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.532:388): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/usr/sbin/brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.533:389): arch=c000003e syscall=21 success=yes exit=0 a0=10548f0 a1=1 a2=0 a3=3fdbe85a00 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.533:389): avc:  denied  { execute } for  pid=19628 comm="qemu-ifup" name="brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.533:390): arch=c000003e syscall=21 success=yes exit=0 a0=10548f0 a1=4 a2=0 a3=3fdbe85a00 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.533:390): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.534:391): arch=c000003e syscall=59 success=yes exit=0 a0=10548f0 a1=1055090 a2=10557c0 a3=8 items=0 ppid=19628 pid=19662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.534:391): avc:  denied  { execute_no_trans } for  pid=19662 comm="qemu-ifup" path="/usr/sbin/brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.534:391): avc:  denied  { open } for  pid=19662 comm="qemu-ifup" name="brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.535:392): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=8933 a2=7fff4b795270 a3=ffffffffffffff6b items=0 ppid=19628 pid=19662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.535:392): avc:  denied  { ioctl } for  pid=19662 comm="brctl" path="socket:[220710]" dev=sockfs ino=220710 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=unix_dgram_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.552:394): arch=c000003e syscall=2 success=yes exit=10 a0=18551f0 a1=2 a2=1a4 a3=8 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.552:394): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="c6xclient.img" dev=dm-1 ino=262362 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1319900996.552:394): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="c6xclient.img" dev=dm-1 ino=262362 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1319900996.552:394): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="images" dev=dm-1 ino=268913 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=dir
type=AVC msg=audit(1319900996.552:394): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="libvirt" dev=dm-1 ino=3156957 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.554:395): arch=c000003e syscall=2 success=yes exit=11 a0=1855f60 a1=0 a2=1a4 a3=2d534f746e65432f items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.554:395): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="CentOS-6.0-x86_64-bin-DVD1.iso" dev=dm-2 ino=24248407 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=file
type=AVC msg=audit(1319900996.554:395): avc:  denied  { read } for  pid=19576 comm="qemu-dm" name="CentOS-6.0-x86_64-bin-DVD1.iso" dev=dm-2 ino=24248407 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=file
type=AVC msg=audit(1319900996.554:395): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="noBackup" dev=dm-2 ino=24248405 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1319900996.554:395): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="dave" dev=dm-2 ino=24248321 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.555:396): arch=c000003e syscall=2 success=yes exit=12 a0=3fdbf7328d a1=2 a2=0 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.555:396): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="ptmx" dev=devtmpfs ino=1127 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=AVC msg=audit(1319900996.555:396): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="ptmx" dev=devtmpfs ino=1127 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:397): arch=c000003e syscall=137 success=yes exit=0 a0=3fdbf721c0 a1=7fff6c61b770 a2=c a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:397): avc:  denied  { getattr } for  pid=19576 comm="qemu-dm" name="/" dev=devpts ino=1 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:398): arch=c000003e syscall=16 success=yes exit=0 a0=c a1=5401 a2=7fff6c61a5f8 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:398): avc:  denied  { ioctl } for  pid=19576 comm="qemu-dm" path="/dev/ptmx" dev=devtmpfs ino=1127 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:399): arch=c000003e syscall=4 success=yes exit=0 a0=7fff6c61a6f0 a1=7fff6c61b6f0 a2=7fff6c61b6f0 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:399): avc:  denied  { getattr } for  pid=19576 comm="qemu-dm" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:400): arch=c000003e syscall=2 success=yes exit=13 a0=7fff6c61b830 a1=102 a2=ff6 a3=7fff6c619fc0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:400): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1319900996.556:400): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:401): arch=c000003e syscall=16 success=yes exit=0 a0=d a1=5401 a2=7fff6c61c838 a3=7fff6c619fc0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:401): avc:  denied  { ioctl } for  pid=19576 comm="qemu-dm" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.557:402): arch=c000003e syscall=149 success=yes exit=0 a0=1859000 a1=1000 a2=1859000 a3=1 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.557:402): avc:  denied  { ipc_lock } for  pid=19576 comm="qemu-dm" capability=14  scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=capability
----
time->Sat Oct 29 09:10:09 2011
type=SYSCALL msg=audit(1319901009.932:404): arch=c000003e syscall=62 success=yes exit=0 a0=4c78 a1=c a2=ab98e0 a3=0 items=0 ppid=1202 pid=20047 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319901009.932:404): avc:  denied  { signal } for  pid=20047 comm="qemu-dm" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=process
----
time->Sat Oct 29 09:10:20 2011
type=SYSCALL msg=audit(1319901020.195:405): arch=c000003e syscall=62 success=yes exit=0 a0=4c78 a1=c a2=ab98e0 a3=f5e8f800 items=0 ppid=1202 pid=20047 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319901020.195:405): avc:  denied  { signal } for  pid=20047 comm="qemu-dm" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=process

Looks like there are actually several different issues with SELinux.

Comment 8 Michael Young 2011-10-29 20:39:41 UTC

This probably needs some tweaks at the selinux end. Reassigning to selinux-policy-targeted package.

Comment 9 Miroslav Grepl 2011-10-31 09:44:08 UTC

Dave,
could you attach these AVC msgs as attachment for better analysis. Looks like qemu_dm_t needs some fixes.

Comment 10 Dave Miller 2011-10-31 12:34:03 UTC

Created attachment 530966 [details]
Output from ausearch -m avc -ts recent

This just a grab of what I had previously posted.  It will be this evening before I get a chance to re-create the problem.

Comment 11 Miroslav Grepl 2011-11-01 14:48:40 UTC

*** Bug 750535 has been marked as a duplicate of this bug. ***

Comment 12 John D. Ramsdell 2011-11-03 21:28:55 UTC

Created attachment 531663 [details]
Output of ausearch -m avc -ts recent run today

What happens when I try to make a VM called couch.

Comment 13 Konrad Rzeszutek Wilk 2011-11-03 23:15:26 UTC

Seeing it too. I can attach an output when using LVs instead of files to install F16 under F16. Is there a temporary workaround (well, except disabling SELinux?)

Comment 14 vvs 2011-11-23 13:35:42 UTC

I must add, that the same problem exist for openstack-nova too. SELinux policy blocks xend access to /var/lib/nova/instances.

Comment 15 Miroslav Grepl 2012-01-02 08:51:10 UTC

Could you try to execute

# chcon -t bin_t /usr/lib/xen/bin/qemu-dm 

and re-test it. Thank you.

Comment 16 Adrian Busolini 2012-01-02 17:05:59 UTC

Note that I worked around the issue of storage directory permissions and installation media directory permissions by executing the following (replacing /foo/bar) for each directory:

# semanage fcontext -a -t xen_image_t "/foo/bar(/.*)?"
# restorecon -R -v /domu

I tried the fix, but setenforce=0 is still the only way I can get things working. Prior to running the chcon fix:

time->Mon Jan  2 16:54:14 2012
type=SYSCALL msg=audit(1325523254.512:983): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=400454ca a2=7fff4c8909f0 a3=0 items=0 ppid=1183 pid=1643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1325523254.512:983): avc:  denied  { create } for  pid=1643 comm="qemu-dm" scontext=system_u:system_r:xend_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=tun_socket
----
time->Mon Jan  2 16:54:14 2012
type=SYSCALL msg=audit(1325523254.511:982): arch=c000003e syscall=160 success=no exit=-1 a0=8 a1=7fff4c890eb0 a2=7fff4c891160 a3=3867bb0d0c items=0 ppid=1183 pid=1643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1325523254.511:982): avc:  denied  { sys_resource } for  pid=1643 comm="qemu-dm" capability=24  scontext=system_u:system_r:xend_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=capability

Post running the chcon fix:

----
time->Mon Jan  2 16:55:04 2012
type=SYSCALL msg=audit(1325523304.789:985): arch=c000003e syscall=2 success=no exit=-13 a0=500625 a1=2 a2=7fff905577f8 a3=0 items=0 ppid=1183 pid=2581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1325523304.789:985): avc:  denied  { read write } for  pid=2581 comm="qemu-dm" name="tun" dev=devtmpfs ino=9504 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file

Comment 17 John D. Ramsdell 2012-01-05 13:48:02 UTC

(In reply to comment #15)
> Could you try to execute
> 
> # chcon -t bin_t /usr/lib/xen/bin/qemu-dm 
> 
> and re-test it. Thank you.

I retested before running your command to see if recent policy updates changed anything, but they did not.  I ran your command, and found it had no effect.

John

Comment 18 Miroslav Grepl 2012-01-06 12:05:49 UTC

I did not add any changes to a new policy. 

Not sure what you mean "no effect". I believe you needed to get different AVC msgs.

Comment 19 John D. Ramsdell 2012-01-06 12:39:21 UTC

Created attachment 551140 [details]
Output of ausearch -m avc -ts recent run today

Comment 20 John D. Ramsdell 2012-01-06 12:41:00 UTC

Opps.  I forgot the testing procedure.  I just added as an attachment the result of running ausearch after running your chcon and setenforce 0.

Comment 21 Fedora End Of Life 2013-02-14 02:00:26 UTC

Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.