Bug 825942

Summary:

SELinux is preventing /usr/bin/qemu-kvm from read, write access on the chr_file /dev/tap10.

Product:

[Fedora] Fedora

Reporter:

Flos Lonicerae <lonicerae>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED NOTABUG

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

charlieb-fedora-bugzilla, dominick.grift, dwalsh, mgrepl, vg.aetera

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Unspecified

Whiteboard:

abrt_hash:2d845d29f289446a8eefa41c555d72053c66b19ce4b5fa6d9a598143d9a5754c

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2012-10-11 12:10:35 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
File: description	none

Description Flos Lonicerae 2012-05-29 07:18:06 UTC

libreport version: 2.0.8
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.6-3.fc16.x86_64
reason:         SELinux is preventing /usr/bin/qemu-kvm from read, write access on the chr_file /dev/tap10.
time:           2012年05月29日 星期二 15时17分41秒

description:    Binary file, 3482 bytes

Comment 1 Flos Lonicerae 2012-05-29 07:18:09 UTC

Created attachment 587322 [details]
File: description

Comment 2 Charlie Brady 2012-10-10 20:34:41 UTC

I am sporadically seeing this issue with F15.

[charlieb@localhost isos]$ rpm -qf /etc/fedora-release 
fedora-release-15-3.noarch
[charlieb@localhost isos]$ rpm -q libvirt
libvirt-0.8.8-7.fc15.x86_64
[charlieb@localhost isos]$

Comment 3 Charlie Brady 2012-10-10 20:37:33 UTC

There seems to be a solution posted here:

https://lists.fedoraproject.org/pipermail/virt-maint/2012-June/004067.html

--- Comment #5 from Edward Rudd <urkle at outoforder.cc> ---
I'm receiving this error on RHEL 6 as well.. The key is the Selinux deny log
entry.   creating a new semodule with the following resolves the issue (run
audit2allow -M libvirt-tap on the log in the OP )

module libvirt-tap 1.0;

require {
        type device_t;
        type svirt_t;
        class chr_file { read write };
}

#============= svirt_t ==============
allow svirt_t device_t:chr_file { read write };

Comment 4 Miroslav Grepl 2012-10-11 12:10:35 UTC

Please execute

# restorecon -R -v /dev/tap*

If you get this again, please reopen bug. Thank you.

Comment 5 Charlie Brady 2012-12-10 17:05:39 UTC

(In reply to comment #4)
> Please execute
> 
> # restorecon -R -v /dev/tap*
> 
> If you get this again, please reopen bug. Thank you.

I can't see how to do that in bugzilla at the moment. Status appears to be read-only.


Please see bug 882258 in Fedora 17 - looks the same problem to me. So we have F15, RHEL6 and F17. Seems to be an ongoing problem.

In my case, I don't think this is just an SE alert. I see qemu-kvm go 100% CPU, and I'm unable to shut down/restart the VM.

Comment 6 Charlie Brady 2012-12-10 17:09:52 UTC

My VM log under /var/log/libvirt/qemu shows:

qemu-kvm: -netdev tap,fd=24,id=hostnet1: TUNGETIFF ioctl() failed: Bad file descriptor
TUNSETOFFLOAD ioctl() failed: Bad file descriptor
qemu-kvm: -netdev tap,fd=25,id=hostnet2: TUNGETIFF ioctl() failed: Bad file descriptor
TUNSETOFFLOAD ioctl() failed: Bad file descriptor

Comment 7 Charlie Brady 2012-12-10 17:19:49 UTC

I don't see any difference with restorecon:

[charlieb@localhost ppp-2.4.5]$ sudo ls --lcontext /dev/tap*
crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 1 Dec 10 11:54 /dev/tap22
crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 2 Dec 10 11:54 /dev/tap23
[charlieb@localhost ppp-2.4.5]$ sudo /sbin/restorecon -R -v  /dev/tap*
[charlieb@localhost ppp-2.4.5]$ sudo ls --lcontext /dev/tap*
crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 1 Dec 10 11:54 /dev/tap22
crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 2 Dec 10 11:54 /dev/tap23
[charlieb@localhost ppp-2.4.5]$ 
[charlieb@localhost ppp-2.4.5]$ rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.9.16-52.fc15.noarch
selinux-policy-targeted-3.9.16-52.fc15.noarch
[charlieb@localhost ppp-2.4.5]$

Notice also that /dev/tap* will only apply to the tap devices which are currently extant, but the device names are regularly changing:

[charlieb@localhost ppp-2.4.5]$ sudo grep qemu-kvm /var/log/audit/audit.log | grep dev.tap
type=AVC msg=audit(1342541462.734:338): avc:  denied  { read write } for  pid=12949 comm="qemu-kvm" path="/dev/tap15" dev="devtmpfs" ino=1092203 scontext=system_u:system_r:svirt_t:s0:c314,c937 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1342541462.734:338): avc:  denied  { read write } for  pid=12949 comm="qemu-kvm" path="/dev/tap16" dev="devtmpfs" ino=1092207 scontext=system_u:system_r:svirt_t:s0:c314,c937 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1342741836.615:487): avc:  denied  { read write } for  pid=24857 comm="qemu-kvm" path="/dev/tap23" dev="devtmpfs" ino=2030322 scontext=system_u:system_r:svirt_t:s0:c256,c958 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1342741836.615:487): avc:  denied  { read write } for  pid=24857 comm="qemu-kvm" path="/dev/tap24" dev="devtmpfs" ino=2028969 scontext=system_u:system_r:svirt_t:s0:c256,c958 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1342792040.696:555): avc:  denied  { read write } for  pid=13145 comm="qemu-kvm" path="/dev/tap29" dev="devtmpfs" ino=2189510 scontext=system_u:system_r:svirt_t:s0:c164,c771 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1342792040.696:555): avc:  denied  { read write } for  pid=13145 comm="qemu-kvm" path="/dev/tap30" dev="devtmpfs" ino=2189521 scontext=system_u:system_r:svirt_t:s0:c164,c771 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1342808799.564:615): avc:  denied  { read write } for  pid=450 comm="qemu-kvm" path="/dev/tap39" dev="devtmpfs" ino=2332781 scontext=system_u:system_r:svirt_t:s0:c18,c355 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1342808799.564:615): avc:  denied  { read write } for  pid=450 comm="qemu-kvm" path="/dev/tap40" dev="devtmpfs" ino=2332786 scontext=system_u:system_r:svirt_t:s0:c18,c355 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1343314835.251:791): avc:  denied  { read write } for  pid=15328 comm="qemu-kvm" path="/dev/tap46" dev="devtmpfs" ino=3123282 scontext=system_u:system_r:svirt_t:s0:c198,c954 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1343314835.251:791): avc:  denied  { read write } for  pid=15328 comm="qemu-kvm" path="/dev/tap47" dev="devtmpfs" ino=3123289 scontext=system_u:system_r:svirt_t:s0:c198,c954 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1343935727.050:1186): avc:  denied  { read write } for  pid=9057 comm="qemu-kvm" path="/dev/tap62" dev="devtmpfs" ino=5067262 scontext=system_u:system_r:svirt_t:s0:c865,c1015 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1343935727.050:1186): avc:  denied  { read write } for  pid=9057 comm="qemu-kvm" path="/dev/tap63" dev="devtmpfs" ino=5066317 scontext=system_u:system_r:svirt_t:s0:c865,c1015 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1344541971.495:251): avc:  denied  { read write } for  pid=14461 comm="qemu-kvm" path="/dev/tap17" dev="devtmpfs" ino=1094329 scontext=system_u:system_r:svirt_t:s0:c427,c445 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1344541971.495:251): avc:  denied  { read write } for  pid=14461 comm="qemu-kvm" path="/dev/tap18" dev="devtmpfs" ino=1094330 scontext=system_u:system_r:svirt_t:s0:c427,c445 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1346802992.731:552): avc:  denied  { read write } for  pid=9550 comm="qemu-kvm" path="/dev/tap19" dev="devtmpfs" ino=2511452 scontext=system_u:system_r:svirt_t:s0:c54,c256 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1346802992.731:552): avc:  denied  { read write } for  pid=9550 comm="qemu-kvm" path="/dev/tap20" dev="devtmpfs" ino=2511457 scontext=system_u:system_r:svirt_t:s0:c54,c256 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1349465040.649:100): avc:  denied  { read write } for  pid=14187 comm="qemu-kvm" path="/dev/tap11" dev="devtmpfs" ino=133748 scontext=system_u:system_r:svirt_t:s0:c732,c858 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1349465040.649:100): avc:  denied  { read write } for  pid=14187 comm="qemu-kvm" path="/dev/tap12" dev="devtmpfs" ino=133753 scontext=system_u:system_r:svirt_t:s0:c732,c858 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1349472363.304:206): avc:  denied  { read write } for  pid=10776 comm="qemu-kvm" path="/dev/tap30" dev="devtmpfs" ino=81775 scontext=system_u:system_r:svirt_t:s0:c486,c803 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1349472363.304:206): avc:  denied  { read write } for  pid=10776 comm="qemu-kvm" path="/dev/tap31" dev="devtmpfs" ino=82634 scontext=system_u:system_r:svirt_t:s0:c486,c803 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1349900959.358:606): avc:  denied  { read write } for  pid=17027 comm="qemu-kvm" path="/dev/tap70" dev="devtmpfs" ino=1055751 scontext=system_u:system_r:svirt_t:s0:c283,c666 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1350318701.889:860): avc:  denied  { read write } for  pid=26086 comm="qemu-kvm" path="/dev/tap80" dev="devtmpfs" ino=2556376 scontext=system_u:system_r:svirt_t:s0:c630,c914 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1350318701.889:860): avc:  denied  { read write } for  pid=26086 comm="qemu-kvm" path="/dev/tap81" dev="devtmpfs" ino=2556379 scontext=system_u:system_r:svirt_t:s0:c630,c914 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1353419537.979:313): avc:  denied  { read write } for  pid=16544 comm="qemu-kvm" path="/dev/tap17" dev="devtmpfs" ino=1524537 scontext=system_u:system_r:svirt_t:s0:c37,c79 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1353419537.979:313): avc:  denied  { read write } for  pid=16544 comm="qemu-kvm" path="/dev/tap18" dev="devtmpfs" ino=1524542 scontext=system_u:system_r:svirt_t:s0:c37,c79 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1353953398.805:580): avc:  denied  { read write } for  pid=29789 comm="qemu-kvm" path="/dev/tap23" dev="devtmpfs" ino=4081266 scontext=system_u:system_r:svirt_t:s0:c417,c516 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1353953398.805:580): avc:  denied  { read write } for  pid=29789 comm="qemu-kvm" path="/dev/tap24" dev="devtmpfs" ino=4081272 scontext=system_u:system_r:svirt_t:s0:c417,c516 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1353963619.373:605): avc:  denied  { read write } for  pid=13178 comm="qemu-kvm" path="/dev/tap26" dev="devtmpfs" ino=4217592 scontext=system_u:system_r:svirt_t:s0:c534,c834 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1353963619.373:605): avc:  denied  { read write } for  pid=13178 comm="qemu-kvm" path="/dev/tap27" dev="devtmpfs" ino=4218135 scontext=system_u:system_r:svirt_t:s0:c534,c834 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1354048200.289:668): avc:  denied  { read write } for  pid=25407 comm="qemu-kvm" path="/dev/tap32" dev="devtmpfs" ino=4638050 scontext=system_u:system_r:svirt_t:s0:c478,c800 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1354048200.289:668): avc:  denied  { read write } for  pid=25407 comm="qemu-kvm" path="/dev/tap33" dev="devtmpfs" ino=4638059 scontext=system_u:system_r:svirt_t:s0:c478,c800 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1355158439.867:536): avc:  denied  { read write } for  pid=18735 comm="qemu-kvm" path="/dev/tap22" dev="devtmpfs" ino=4309335 scontext=system_u:system_r:svirt_t:s0:c427,c1003 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1355158439.867:536): avc:  denied  { read write } for  pid=18735 comm="qemu-kvm" path="/dev/tap23" dev="devtmpfs" ino=4309339 scontext=system_u:system_r:svirt_t:s0:c427,c1003 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[charlieb@localhost ppp-2.4.5]$

Comment 8 Charlie Brady 2012-12-10 17:22:36 UTC

There's a note here saying this has been diagnosed and fixed for F18 - there's a race condition, and the fix is non-trivial to backport:

https://bugzilla.redhat.com/show_bug.cgi?id=798605#c10

Comment 9 Charlie Brady 2012-12-10 20:26:56 UTC

FWIW, RHEL6.3's libvirt-0.9.10-21.el6_3.4.src.rpm compiles on F15, and installs OK, and thus far is working OK. F18's libvirt-0.10.2.2-1.fc18.src.rpm also builds OK. I haven't installed it.

Comment 10 Miroslav Grepl 2013-07-07 07:18:29 UTC

*** Bug 882258 has been marked as a duplicate of this bug. ***