Description of problem: SELinux is preventing systemd-logind from 'setattr' accesses on the blk_file sr0. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es systemd-logind standardmässig erlaubt sein sollte, setattr Zugriff auf sr0 blk_file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:object_r:virt_content_t:s0 Target Objects sr0 [ blk_file ] Source systemd-logind Source Path systemd-logind Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.6.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.0.7-300.fc22.x86_64 #1 SMP Mon Jun 29 22:15:06 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-07-14 16:38:09 CEST Last Seen 2015-07-14 16:38:29 CEST Local ID 61790096-5a22-4990-80b8-8d2be7240de3 Raw Audit Messages type=AVC msg=audit(1436884709.122:1474): avc: denied { setattr } for pid=755 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=12296 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file permissive=1 Hash: systemd-logind,systemd_logind_t,virt_content_t,blk_file,setattr Version-Release number of selected component: selinux-policy-3.13.1-128.6.fc22.noarch Additional info: reporter: libreport-2.6.1 hashmarkername: setroubleshoot kernel: 4.1.2-200.fc22.x86_64 type: libreport Potential duplicate: bug 824137
Looks this is same issue like bug 824137
*** Bug 1153406 has been marked as a duplicate of this bug. ***
What's happening here is libvirt is labelling /dev/sr0 as virt_content_t, which conflicts with logind labeling. The proper fix IMO is for libvirt to not change the label for readonly disk images, if it's already labelled in such a way that we can already access it. I previously outlined on this upstream mailing list: https://www.redhat.com/archives/libvir-list/2015-April/msg01400.html
*** This bug has been marked as a duplicate of bug 755535 ***