Description of problem: SELinux is preventing /usr/bin/qemu-system-x86_64 from using the execstack access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow virt to use execmem Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean. You can read 'None' man page for more details. Do setsebool -P virt_use_execmem 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that qemu-system-x86_64 should be allowed execstack access on processes labeled svirt_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c289,c704 Target Context system_u:system_r:svirt_t:s0:c289,c704 Target Objects Unknown [ process ] Source qemu-system-x86 Source Path /usr/bin/qemu-system-x86_64 Port <Unknown> Host x230t.local Source RPM Packages qemu-system-x86-2.1.0-0.1.rc0.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-63.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name x230t.local Platform Linux x230t.local 3.16.0-0.rc4.git1.1.fc21.x86_64 #1 SMP Tue Jul 8 14:03:50 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-07-12 13:37:18 IST Last Seen 2014-07-12 13:37:18 IST Local ID 8e9fb700-700b-40c3-9ca3-224898fa1a90 Raw Audit Messages type=AVC msg=audit(1405152438.578:690): avc: denied { execstack } for pid=23236 comm="qemu-system-x86" scontext=system_u:system_r:svirt_t:s0:c289,c704 tcontext=system_u:system_r:svirt_t:s0:c289,c704 tclass=process permissive=1 type=AVC msg=audit(1405152438.578:690): avc: denied { execmem } for pid=23236 comm="qemu-system-x86" scontext=system_u:system_r:svirt_t:s0:c289,c704 tcontext=system_u:system_r:svirt_t:s0:c289,c704 tclass=process permissive=1 type=SYSCALL msg=audit(1405152438.578:690): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7fffe454d000 a1=1000 a2=1000007 a3=7ff7ef6cea60 items=0 ppid=1 pid=23236 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c289,c704 key=(null) Hash: qemu-system-x86,svirt_t,svirt_t,process,execstack
*** Bug 1123326 has been marked as a duplicate of this bug. ***
***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow virt to use execmem Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean. You can read 'None' man page for more details. Do setsebool -P virt_use_execmem 1
(In reply to Miroslav Grepl from comment #2) > If you want to allow virt to use execmem > Then you must tell SELinux about this by enabling the 'virt_use_execmem' > boolean. It's good there's already a boolean for this, but shouldn't it be turned on by default? I'm not running rawhide, but I do have the libvirt from rawhide on Fedora 20 and I can't start any virtual machines with the default policy. I'm all for secure defaults, but I don't think that a non-working policy is good.
Most peopel who run virt do not need this. Most people use qemu-kvm. But I agree that libvirt should choose a different type for qemu-system-x86 then this, which could also solve the problem.
I was using libvirt-daemon-kvm-1.2.6-2.fc20.x86_64 with qemu-system-x86-2.1.0-0.5.rc3.fc20.x86_64 and it worked only after turning on virt_use_execmem.