Bug 828335

Summary: qemu requires rawip socket access which is blocked by SELinux
Product: [Fedora] Fedora Reporter: Dirk Hohndel <dirk>
Component: qemuAssignee: Fedora Virtualization Maintainers <virt-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: amit.shah, berrange, cfergeau, dirk, dwalsh, dwmw2, ehabkost, itamar, knoel, pbonzini, scottt.tw, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-11 11:49:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
VM config file
none
network config file none

Description Dirk Hohndel 2012-06-04 16:06:17 UTC 
Created attachment 589198 [details]
VM config file

Description of problem:

After importing a working VM from a previous installation (opensuse) into Fedora 17, running this VM from virt-manager with an SELinux error. Closer analysis shows that SELinux is rejecting rawip socket access - this happens at least once a second, basically freezing the system and preventing the VM from working 

Version-Release number of selected component (if applicable):

qemu-kvm-1.0-17.fc17.x86_64

How reproducible:

Happens every time I start the vm

Steps to Reproduce:
1. open virt-manager
2. start VM
3. observe errors
  
Actual results:

type=AVC msg=audit(1338425056.093:180): avc:  denied  { create } for  pid=1792 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c828,c902 tcontext=system_u:system_r:svirt_t:s0:c828,c902 tclass=rawip_socket

I get one of these messages about every second in the /var/log/audit/audit.log file

Expected results:

a working VM

Additional info:

here's the command line used (according to the qemu log file)

LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin /usr/bin/qemu-kvm -S -M pc-0.14 -cpu core2duo,+lahf_lm,+rdtscp,+aes,+popcnt,+x2apic,+sse4.2,+sse4.1,+xtpr,
+cx16,+tm2,+est,+vmx,+ds_cpl,+pbe,+tm,+ht,+ss,+acpi,+ds -enable-kvm -m 1280 -smp 2,sockets=2,cores=1,threads=1 -name ITVM -uuid c6c00f22-3c8b-f2b5-eb96-facd1facaefa -node
fconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/ITVM.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localt
ime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/dev/sda8,if=none,id=drive-ide0-0-0,format=raw -device ide-drive,bus=ide.0,unit=0,drive=
drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev user,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:e7:2a:94,bus=pci.0,addr=0x3 -chardev pty,id=ch
arserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -vga std -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device 
hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
Comment 1 Dirk Hohndel 2012-06-04 16:08:12 UTC 
Created attachment 589199 [details]
network config file
Comment 2 Paolo Bonzini 2012-09-11 10:20:32 UTC 
You're actually not using the libvirt network; you're using usermode (slirp) networking.

As a workaround, or perhaps a fix, please switch from usermode to tap networking.  It will also be much faster, and virt-manager will configure everything for you.