Description of problem: I cannot install F21 Live in an F21 host with gnome-boxes. Version-Release number of selected component (if applicable): gnome-boxes-3.13.92-1.fc21 gnome-boxes-3.14.0-2.fc21 libvirt-1.2.8-4.fc21 How reproducible: 100% Steps to Reproduce: 1. Download Fedora (WS) 21 Alpha Live 2. Try to install it in gnome-boxes on f21 Actual results: (gnome-boxes:5021): Boxes-WARNING **: machine.vala:576: Failed to start Fedora-Live-Workstation-x86_64-21_Alpha-1: Unable to start domain: unable to set security context 'system_u:object_r:tun_tap_device_t:s0:c7,c207' on fd 21: Operation not permitted UI pops up bubble saying saying "Failed to start 'Fedora-Live-Workstation-x86_64-21_Alpha-1'" Expected results: Install to start normally Additional info: The live image boots fine with qemu-kvm and installs fine in virt-manager.
After booting the system with kernel option "enforcing=0" in permissive mode, gnome-boxes starts up as expected. The applicable component is probably rather 'selinux-policy-targeted'.
I am seeing this on Fedora Rawhide when running the new libguestfs which has this change: https://github.com/libguestfs/libguestfs/commit/224de20b9a8d5ea56f6337f19b4ca237bb88eca0
Created attachment 943437 [details] log.txt Output from libguestfs with verbose logging enabled.
I have: selinux-policy 3.13.1-84.fc22 libvirt-1.2.9-1.fc22.x86_64 kernel 3.17.0-0.rc6.git2.1.fc22.x86_64 Strangely there is no output from `ausearch -m avc -ts recent'. However there are audit messages in audit.log. I'm not sure if these are errors (or even related): type=ANOM_PROMISCUOUS msg=audit(1412266570.754:807): dev=tap0 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=1 type=SYSCALL msg=audit(1412266570.754:807): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=89a2 a2=7fff005468d0 a3=fffffffffffff998 items=0 ppid=28441 pid=29353 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-bridge-hel" exe="/usr/libexec/qemu-bridge-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1412266570.754:807): proctitle=2F7573722F6C6962657865632F71656D752D6272696467652D68656C706572002D2D7573652D766E6574002D2D62723D766972627230002D2D66643D3232 type=ANOM_PROMISCUOUS msg=audit(1412266570.759:808): dev=tap0 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=1 type=ANOM_ABEND msg=audit(1412266570.764:809): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 pid=29354 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" sig=11 type=USER_CMD msg=audit(1412266616.011:810): pid=29386 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd=6C657373202F7661722F6C6F672F61756469742F61756469742E6C6F67 terminal=pts/0 res=success'
Setting SELinux to Permissive does fix the problem, which indicates that it is an SELinux problem. audit2allow says "Nothing to do". The complete set of audit logs with SELinux set to Permissive is below. type=SYSCALL msg=audit(1412266685.743:815): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffddfc5fc0 a2=1 a3=0 items=0 ppid=29396 pid=29397 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1412266685.743:815): proctitle=736574656E666F726365005065726D697373697665 type=USER_END msg=audit(1412266685.744:816): pid=29396 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantor=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success' type=ANOM_PROMISCUOUS msg=audit(1412266693.179:817): dev=tap0 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=1 type=SYSCALL msg=audit(1412266693.179:817): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=89a2 a2=7fff098c02c0 a3=fffffffffffff998 items=0 ppid=30408 pid=30450 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-bridge-hel" exe="/usr/libexec/qemu-bridge-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=PROCTITLE msg=audit(1412266693.179:817): proctitle=2F7573722F6C6962657865632F71656D752D6272696467652D68656C706572002D2D7573652D766E6574002D2D62723D766972627230002D2D66643D3232 type=ANOM_PROMISCUOUS msg=audit(1412266708.292:818): dev=tap0 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=1 type=USER_CMD msg=audit(1412266716.513:819): pid=30488 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd=736574656E666F72636520456E666F7263696E67 terminal=pts/0 res=success' type=USER_START msg=audit(1412266716.515:820): pid=30488 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantor=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
*** This bug has been marked as a duplicate of bug 1147057 ***