Bug 824551
| Summary: | After the libvirt packages installation, KVM images do not start with SELinux enforcing. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Saulo Pedro <spedro> |
| Component: | libvirt | Assignee: | Martin Kletzander <mkletzan> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | acathrow, dallan, dyasny, dyuan, gsun, mzhan, rwu, ydu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-08 18:04:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I cann't reproduce it with libvirt-0.9.10-20.el6 & selinux-policy-3.7.19-153.el6 and libvirt-0.8.7-18.el6_1.4 & selinux-policy-3.7.19-126.el6. Can you provide your selinux-policy version or try it with the latest version ? The SELinux policicy is selinux-policy-3.7.19-93.el6 (In reply to comment #2) > I cann't reproduce it with libvirt-0.9.10-20.el6 & > selinux-policy-3.7.19-153.el6 and libvirt-0.8.7-18.el6_1.4 & > selinux-policy-3.7.19-126.el6. > > Can you provide your selinux-policy version or try it with the latest > version ? Saulo, this behavior isn't reproducible for us, do you see it on a freshly installed system? Since we can't reproduce this behavior and we don't have any further information about what's going on, I'm closing, but please feel free to reopen if the information becomes available. |
Description of problem: After the installation of libvirt packages, KVM images do not start with SELinux enforcing. It seems the installation leaves some files mislabeled /etc/init.d/libvirtd should be in virtd_initrc_exec_t, it is in rpm_script_t /usr/sbin/libvirtd should be in virtd_exec_t, it is in bin_t recovering these labels with restorecon resolves this problem. Version-Release number of selected component (if applicable): libvirt-0.8.7-18.el6_1.4.x86_64 libvirt-client-0.8.7-18.el6_1.4.x86_64 libvirt-python-0.8.7-18.el6_1.4.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install the packages 2. Set SELinux to enforcing 3. Start a KVM image (I tried with virt-manager) Actual results: Error starting domain: unable to set security context 'system_u:object_r:svirt_image_t:s0:c610,c686' on '/var/lib/libvirt/images/Technical_Operations-Windows_XP.raw': Permission denied Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 44, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1050, in startup self._backend.create() File "/usr/lib64/python2.6/site-packages/libvirt.py", line 511, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c610,c686' on '/var/lib/libvirt/images/Technical_Operations-Windows_XP.raw': Permission denied ausearch -m avc -ts recent ---- time->Wed Apr 25 18:17:00 2012 type=SYSCALL msg=audit(1335392220.167:51422): arch=c000003e syscall=188 success=no exit=-13 a0=7fd8e400cab0 a1=34a4e162d9 a2=7fd8e800a2f0 a3=2d items=0 ppid=1 pid=3172 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1335392220.167:51422): avc: denied { relabelto } for pid=3172 comm="libvirtd" name="Technical_Operations-Windows_XP.raw" dev=dm-1 ino=269090 scontext=system_u:system_r:initrc_t:s0 Expected results: No SELinux alerts. Additional info: