Description of problem: SELinux is preventing qemu-system-x86 from using the execstack access on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow virt to use execmem Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean. You can read 'None' man page for more details. Do setsebool -P virt_use_execmem 1 Version-Release number of selected component (if applicable): selinux-policy-3.13.1-72.fc21.noarch gnome-boxes-3.13.4-1.fc21.x86_64 How reproducible: always Steps to Reproduce: 1.open gnome-boxes 2.create any vm from image Actual results: selinux blocks it Expected results: should work Additional info: setenforce=0 helps here :-)
Did you try the suggested fix? ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow virt to use execmem Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean. You can read 'None' man page for more details. Do setsebool -P virt_use_execmem 1 The problem is libvirt is not useing libvirt-kvm for creating the VM and other tooling requires execmem. libvirt should choose a different label for launching a virtual machine that is not using -kvm. svirt_tgt_t for example, which is allowed execmem and execstack out of the box. Currently we ship virtual_domain_context file which includes two types. cat /etc/selinux/targeted/contexts/virtual_domain_context system_u:system_r:svirt_t:s0 system_u:system_r:svirt_tcg_t:s0 libvirt is choosing the svirt_t (first type) which does not allow the execmem execstack. If it choose the second for this type of VM the problem would go away.
vladimir, could you include the AVC information, so that we could verify that the the qemu process that libvirt is launching.
How Dan wrote above ... we created svirt_tcg_t for this purpose and we have allow svirt_tcg_t self:process { execmem execstack }; in the policy by default.
Pretty sure it's the librados issue *** This bug has been marked as a duplicate of bug 1118504 ***