Description of problem: Tried to create new virtual machine using virsh and start it. SELinux is preventing /usr/bin/qemu-system-x86_64 from 'open' accesses on the file /tmp/libguestfsf7G3Hr/overlay1. ***** Plugin catchall (100. confidence) suggests ************************** # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c442,c886 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects /tmp/libguestfsf7G3Hr/overlay1 [ file ] Source qemu-system-x86 Source Path /usr/bin/qemu-system-x86_64 Port <Unknown> Host (removed) Source RPM Packages qemu-system-x86-2.1.1-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-82.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.1-301.mst.fc21.x86_64 #1 SMP Tue Aug 26 02:24:06 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-09-22 13:47:13 EEST Last Seen 2014-09-22 13:47:13 EEST Local ID 5d57d7db-d50c-4eeb-a670-64625d3bc530 Raw Audit Messages type=AVC msg=audit(1411382833.239:775): avc: denied { open } for pid=21602 comm="qemu-system-x86" path="/tmp/libguestfsf7G3Hr/overlay1" dev="tmpfs" ino=215844 scontext=system_u:system_r:svirt_t:s0:c442,c886 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1411382833.239:775): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2ede02d8d0 a1=80002 a2=0 a3=30 items=0 ppid=1 pid=21602 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c442,c886 key=(null) Hash: qemu-system-x86,svirt_t,user_tmp_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-82.fc21.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.1-301.mst.fc21.x86_64 type: libreport
I believe this is a livirt issue. This content should have been relabeled?
Rich this is coming from libguestfs, known issue?
It's not a known issue. It is a libvirt labelling issue, I *think*. I don't really understand what the description means. 'virsh' cannot create new virtual machines ... I don't understand where libguestfs gets involved. What command(s) did you type which caused this error? What is the complete output of the following: libguestfs-test-tool
I'm running sudo qemu-img create -f qcow2 -b /home/virt/images/Fedora-Cloud-Base-20140915-21_Alpha.x86_64.qcow2 /home/virt/images/dc-f21.ipacloud.test.qcow2 16G sudo virt-install --name dc-f21.ipacloud.test --ram 1536 --hvm --check-cpu --accelerate --vcpus 2 --connect=qemu:///system --noautoconsole --rng /dev/random --disk path=/home/virt/images/dc-f21.ipacloud.test.qcow2,size=16,bus=virtio --disk path=/home/virt/images/dc-f21.ipacloud.test-cidata.iso,device=cdrom --network network=default,mac=54:52:00:61:2a:a5 --import --force and then virsh --connect qemu:///system start dc-f21.ipacloud.test Log for libguestfs-test-tool is being attached.
Created attachment 940831 [details] libguestfs-test-tool log Output of libguestfs-test-tool is attached
(In reply to Alexander Bokovoy from comment #5) > Created attachment 940831 [details] > libguestfs-test-tool log > > Output of libguestfs-test-tool is attached This is all fine - no errors. I still don't see where the path /tmp/libguestfsXXXXXX/overlay1 can come from. That *is* a path that is used by libguestfs for temporary files. Do you by any chance have virt-manager running at the same time? That would run libguestfs against the new guest, roughly synchronous with the guest being created, so that's a possible explanation. If it turns out to be virt-manager, then there may be sufficient information in ~/.cache/virt-manager/virt-manager.log and it would be useful to attach this file.
Yes, I do run virt-manager at the same time. I don't see anything suspicious in the log, just messages around the time I tear apart the machine before re-creating it. Sorry for localized messages, I run in a locale different from en_US. "Домен не найден: нет домена с UUID" means "domain not found: no domain with UUID". [Ср, 24 сен 2014 19:00:53 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-edkau9fv9wdi8yx4 removed [Ср, 24 сен 2014 19:01:53 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-5gr1xdokvml18zkl status=Работает added [Ср, 24 сен 2014 19:01:56 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «b9206910-6bfc-428f-87f8-ed0a235cb8b3» (guestfs-5gr1xdokvml18zkl) Domain might have disappeared, triggering connection tick [Ср, 24 сен 2014 19:01:56 virt-manager 12330] ERROR (connection:1278) Tick for <vmmDomain object at 0x7f81149547d0 (virtManager+domain+vmmDomain at 0x2a9e800)> failed Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/connection.py", line 1276, in _tick obj.tick(*args) File "/usr/share/virt-manager/virtManager/domain.py", line 1894, in tick info = self._backend.info() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1166, in info if ret is None: raise libvirtError ('virDomainGetInfo() failed', dom=self) libvirtError: Домен не найден: нет домена с UUID «b9206910-6bfc-428f-87f8-ed0a235cb8b3» (guestfs-5gr1xdokvml18zkl) [Ср, 24 сен 2014 19:01:56 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-5gr1xdokvml18zkl removed [Ср, 24 сен 2014 19:02:56 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-10opq2syxb9es2d0 status=Работает added [Ср, 24 сен 2014 19:02:59 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «ef074f8a-4ac2-4db8-9f68-d8b4aa058a5e» (guestfs-10opq2syxb9es2d0) Domain might have disappeared, triggering connection tick [Ср, 24 сен 2014 19:02:59 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-10opq2syxb9es2d0 removed [Ср, 24 сен 2014 19:03:59 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-0jwh88ymefr3nk0a status=Работает added [Ср, 24 сен 2014 19:04:02 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «36570b96-b318-484e-a63c-71401579af24» (guestfs-0jwh88ymefr3nk0a) Domain might have disappeared, triggering connection tick [Ср, 24 сен 2014 19:04:02 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-0jwh88ymefr3nk0a removed [Ср, 24 сен 2014 19:05:02 virt-manager 12330] DEBUG (connection:1198) domain=guestfs-20aslsfjs3kpbk0o status=Работает added [Ср, 24 сен 2014 19:05:06 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «9b5790be-c20e-4656-b9c8-da6862164a47» (guestfs-20aslsfjs3kpbk0o) Domain might have disappeared, triggering connection tick [Ср, 24 сен 2014 19:05:06 virt-manager 12330] DEBUG (connection:1193) domain=guestfs-20aslsfjs3kpbk0o removed [Ср, 24 сен 2014 19:06:04 virt-manager 12330] DEBUG (domain:1692) domain=dc-f21.ipacloud.test status changed to 5=Выключена [Ср, 24 сен 2014 19:06:11 virt-manager 12330] DEBUG (domain:1699) Error setting domain status: Домен не найден: нет домена с UUID «8f7ff507-0f91-4f7a-ba16-749a3acc2c82» (dc-f21.ipacloud.test) Domain might have disappeared, triggering connection tick [Ср, 24 сен 2014 19:06:11 virt-manager 12330] DEBUG (connection:1193) domain=dc-f21.ipacloud.test removed
The following bug is similar-ish. It may not be the same thing: https://bugzilla.redhat.com/show_bug.cgi?id=1146477#c10
*** Bug 1221907 has been marked as a duplicate of this bug. ***
Description of problem: Started a qemu instance via virt-manager in usermode (gruft on #qemu also reported it starting it by hand on rawhide/fc23) Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.3-300.fc22.x86_64 type: libreport
(Mine was I think an unrelated selinux issue with lttng) that got automerged to this.
For reference David's report is bug 1221945
Tried to reproduce this issue, with python-libguestfs and virt-manager running, then kicking off a virt-install similar to reported in comment #4, but I couldn't reproduce. This is with F22 packages though. Alexander, are you still seeing this issue?
I don't see the any AVC related to virt-manager/libguestfs anymore on Fedora 21.
Thanks, closing then. If anyone can still reproduce, please file a new bug report
Description of problem: Start a VM with windows in gnome-boxes. Version-Release number of selected component: selinux-policy-3.13.1-126.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-300.fc22.x86_64 type: libreport