Bug 825942
Summary: | SELinux is preventing /usr/bin/qemu-kvm from read, write access on the chr_file /dev/tap10. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Flos Lonicerae <lonicerae> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 16 | CC: | charlieb-fedora-bugzilla, dominick.grift, dwalsh, mgrepl, vg.aetera | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | abrt_hash:2d845d29f289446a8eefa41c555d72053c66b19ce4b5fa6d9a598143d9a5754c | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-10-11 12:10:35 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Flos Lonicerae
2012-05-29 07:18:06 UTC
Created attachment 587322 [details]
File: description
I am sporadically seeing this issue with F15. [charlieb@localhost isos]$ rpm -qf /etc/fedora-release fedora-release-15-3.noarch [charlieb@localhost isos]$ rpm -q libvirt libvirt-0.8.8-7.fc15.x86_64 [charlieb@localhost isos]$ There seems to be a solution posted here: https://lists.fedoraproject.org/pipermail/virt-maint/2012-June/004067.html --- Comment #5 from Edward Rudd <urkle at outoforder.cc> --- I'm receiving this error on RHEL 6 as well.. The key is the Selinux deny log entry. creating a new semodule with the following resolves the issue (run audit2allow -M libvirt-tap on the log in the OP ) module libvirt-tap 1.0; require { type device_t; type svirt_t; class chr_file { read write }; } #============= svirt_t ============== allow svirt_t device_t:chr_file { read write }; Please execute # restorecon -R -v /dev/tap* If you get this again, please reopen bug. Thank you. (In reply to comment #4) > Please execute > > # restorecon -R -v /dev/tap* > > If you get this again, please reopen bug. Thank you. I can't see how to do that in bugzilla at the moment. Status appears to be read-only. Please see bug 882258 in Fedora 17 - looks the same problem to me. So we have F15, RHEL6 and F17. Seems to be an ongoing problem. In my case, I don't think this is just an SE alert. I see qemu-kvm go 100% CPU, and I'm unable to shut down/restart the VM. My VM log under /var/log/libvirt/qemu shows: qemu-kvm: -netdev tap,fd=24,id=hostnet1: TUNGETIFF ioctl() failed: Bad file descriptor TUNSETOFFLOAD ioctl() failed: Bad file descriptor qemu-kvm: -netdev tap,fd=25,id=hostnet2: TUNGETIFF ioctl() failed: Bad file descriptor TUNSETOFFLOAD ioctl() failed: Bad file descriptor I don't see any difference with restorecon: [charlieb@localhost ppp-2.4.5]$ sudo ls --lcontext /dev/tap* crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 1 Dec 10 11:54 /dev/tap22 crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 2 Dec 10 11:54 /dev/tap23 [charlieb@localhost ppp-2.4.5]$ sudo /sbin/restorecon -R -v /dev/tap* [charlieb@localhost ppp-2.4.5]$ sudo ls --lcontext /dev/tap* crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 1 Dec 10 11:54 /dev/tap22 crw-------. 1 system_u:object_r:tun_tap_device_t:s0 root root 249, 2 Dec 10 11:54 /dev/tap23 [charlieb@localhost ppp-2.4.5]$ [charlieb@localhost ppp-2.4.5]$ rpm -q selinux-policy selinux-policy-targeted selinux-policy-3.9.16-52.fc15.noarch selinux-policy-targeted-3.9.16-52.fc15.noarch [charlieb@localhost ppp-2.4.5]$ Notice also that /dev/tap* will only apply to the tap devices which are currently extant, but the device names are regularly changing: [charlieb@localhost ppp-2.4.5]$ sudo grep qemu-kvm /var/log/audit/audit.log | grep dev.tap type=AVC msg=audit(1342541462.734:338): avc: denied { read write } for pid=12949 comm="qemu-kvm" path="/dev/tap15" dev="devtmpfs" ino=1092203 scontext=system_u:system_r:svirt_t:s0:c314,c937 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1342541462.734:338): avc: denied { read write } for pid=12949 comm="qemu-kvm" path="/dev/tap16" dev="devtmpfs" ino=1092207 scontext=system_u:system_r:svirt_t:s0:c314,c937 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1342741836.615:487): avc: denied { read write } for pid=24857 comm="qemu-kvm" path="/dev/tap23" dev="devtmpfs" ino=2030322 scontext=system_u:system_r:svirt_t:s0:c256,c958 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1342741836.615:487): avc: denied { read write } for pid=24857 comm="qemu-kvm" path="/dev/tap24" dev="devtmpfs" ino=2028969 scontext=system_u:system_r:svirt_t:s0:c256,c958 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1342792040.696:555): avc: denied { read write } for pid=13145 comm="qemu-kvm" path="/dev/tap29" dev="devtmpfs" ino=2189510 scontext=system_u:system_r:svirt_t:s0:c164,c771 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1342792040.696:555): avc: denied { read write } for pid=13145 comm="qemu-kvm" path="/dev/tap30" dev="devtmpfs" ino=2189521 scontext=system_u:system_r:svirt_t:s0:c164,c771 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1342808799.564:615): avc: denied { read write } for pid=450 comm="qemu-kvm" path="/dev/tap39" dev="devtmpfs" ino=2332781 scontext=system_u:system_r:svirt_t:s0:c18,c355 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1342808799.564:615): avc: denied { read write } for pid=450 comm="qemu-kvm" path="/dev/tap40" dev="devtmpfs" ino=2332786 scontext=system_u:system_r:svirt_t:s0:c18,c355 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1343314835.251:791): avc: denied { read write } for pid=15328 comm="qemu-kvm" path="/dev/tap46" dev="devtmpfs" ino=3123282 scontext=system_u:system_r:svirt_t:s0:c198,c954 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1343314835.251:791): avc: denied { read write } for pid=15328 comm="qemu-kvm" path="/dev/tap47" dev="devtmpfs" ino=3123289 scontext=system_u:system_r:svirt_t:s0:c198,c954 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1343935727.050:1186): avc: denied { read write } for pid=9057 comm="qemu-kvm" path="/dev/tap62" dev="devtmpfs" ino=5067262 scontext=system_u:system_r:svirt_t:s0:c865,c1015 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1343935727.050:1186): avc: denied { read write } for pid=9057 comm="qemu-kvm" path="/dev/tap63" dev="devtmpfs" ino=5066317 scontext=system_u:system_r:svirt_t:s0:c865,c1015 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1344541971.495:251): avc: denied { read write } for pid=14461 comm="qemu-kvm" path="/dev/tap17" dev="devtmpfs" ino=1094329 scontext=system_u:system_r:svirt_t:s0:c427,c445 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1344541971.495:251): avc: denied { read write } for pid=14461 comm="qemu-kvm" path="/dev/tap18" dev="devtmpfs" ino=1094330 scontext=system_u:system_r:svirt_t:s0:c427,c445 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1346802992.731:552): avc: denied { read write } for pid=9550 comm="qemu-kvm" path="/dev/tap19" dev="devtmpfs" ino=2511452 scontext=system_u:system_r:svirt_t:s0:c54,c256 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1346802992.731:552): avc: denied { read write } for pid=9550 comm="qemu-kvm" path="/dev/tap20" dev="devtmpfs" ino=2511457 scontext=system_u:system_r:svirt_t:s0:c54,c256 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1349465040.649:100): avc: denied { read write } for pid=14187 comm="qemu-kvm" path="/dev/tap11" dev="devtmpfs" ino=133748 scontext=system_u:system_r:svirt_t:s0:c732,c858 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1349465040.649:100): avc: denied { read write } for pid=14187 comm="qemu-kvm" path="/dev/tap12" dev="devtmpfs" ino=133753 scontext=system_u:system_r:svirt_t:s0:c732,c858 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1349472363.304:206): avc: denied { read write } for pid=10776 comm="qemu-kvm" path="/dev/tap30" dev="devtmpfs" ino=81775 scontext=system_u:system_r:svirt_t:s0:c486,c803 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1349472363.304:206): avc: denied { read write } for pid=10776 comm="qemu-kvm" path="/dev/tap31" dev="devtmpfs" ino=82634 scontext=system_u:system_r:svirt_t:s0:c486,c803 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1349900959.358:606): avc: denied { read write } for pid=17027 comm="qemu-kvm" path="/dev/tap70" dev="devtmpfs" ino=1055751 scontext=system_u:system_r:svirt_t:s0:c283,c666 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1350318701.889:860): avc: denied { read write } for pid=26086 comm="qemu-kvm" path="/dev/tap80" dev="devtmpfs" ino=2556376 scontext=system_u:system_r:svirt_t:s0:c630,c914 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1350318701.889:860): avc: denied { read write } for pid=26086 comm="qemu-kvm" path="/dev/tap81" dev="devtmpfs" ino=2556379 scontext=system_u:system_r:svirt_t:s0:c630,c914 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1353419537.979:313): avc: denied { read write } for pid=16544 comm="qemu-kvm" path="/dev/tap17" dev="devtmpfs" ino=1524537 scontext=system_u:system_r:svirt_t:s0:c37,c79 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1353419537.979:313): avc: denied { read write } for pid=16544 comm="qemu-kvm" path="/dev/tap18" dev="devtmpfs" ino=1524542 scontext=system_u:system_r:svirt_t:s0:c37,c79 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1353953398.805:580): avc: denied { read write } for pid=29789 comm="qemu-kvm" path="/dev/tap23" dev="devtmpfs" ino=4081266 scontext=system_u:system_r:svirt_t:s0:c417,c516 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1353953398.805:580): avc: denied { read write } for pid=29789 comm="qemu-kvm" path="/dev/tap24" dev="devtmpfs" ino=4081272 scontext=system_u:system_r:svirt_t:s0:c417,c516 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1353963619.373:605): avc: denied { read write } for pid=13178 comm="qemu-kvm" path="/dev/tap26" dev="devtmpfs" ino=4217592 scontext=system_u:system_r:svirt_t:s0:c534,c834 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1353963619.373:605): avc: denied { read write } for pid=13178 comm="qemu-kvm" path="/dev/tap27" dev="devtmpfs" ino=4218135 scontext=system_u:system_r:svirt_t:s0:c534,c834 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1354048200.289:668): avc: denied { read write } for pid=25407 comm="qemu-kvm" path="/dev/tap32" dev="devtmpfs" ino=4638050 scontext=system_u:system_r:svirt_t:s0:c478,c800 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1354048200.289:668): avc: denied { read write } for pid=25407 comm="qemu-kvm" path="/dev/tap33" dev="devtmpfs" ino=4638059 scontext=system_u:system_r:svirt_t:s0:c478,c800 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1355158439.867:536): avc: denied { read write } for pid=18735 comm="qemu-kvm" path="/dev/tap22" dev="devtmpfs" ino=4309335 scontext=system_u:system_r:svirt_t:s0:c427,c1003 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1355158439.867:536): avc: denied { read write } for pid=18735 comm="qemu-kvm" path="/dev/tap23" dev="devtmpfs" ino=4309339 scontext=system_u:system_r:svirt_t:s0:c427,c1003 tcontext=system_u:object_r:device_t:s0 tclass=chr_file [charlieb@localhost ppp-2.4.5]$ There's a note here saying this has been diagnosed and fixed for F18 - there's a race condition, and the fix is non-trivial to backport: https://bugzilla.redhat.com/show_bug.cgi?id=798605#c10 FWIW, RHEL6.3's libvirt-0.9.10-21.el6_3.4.src.rpm compiles on F15, and installs OK, and thus far is working OK. F18's libvirt-0.10.2.2-1.fc18.src.rpm also builds OK. I haven't installed it. *** Bug 882258 has been marked as a duplicate of this bug. *** |