Description of problem: The following command fails with selinux enabled. virt-builder fedora-22 --output cockpit-fedora-22-x86_64-21.qcow2 --size 8G --format qcow2 --arch x86_64 Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1327 audit(1442302235.661:687): proctitle=2F62696E2F7368002F7573722F62696E2F71656D752D6B766D002D6E616D6500677565737466732D6D62366765616D763976786B75613878002D53002D6D616368696E650070632D6934343066782D322E332C616363656C3D6B766D2C7573623D6F6666002D63707500686F7374002D6D00353030002D7265616C74696D65 Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1300 audit(1442302235.661:687): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7ffdab51b5e0 a2=6e a3=672f62696c2f756d items=0 ppid=1 pid=8509 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 key=(null) Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.661:687): avc: denied { create } for pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=sock_file permissive=1 Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.661:687): avc: denied { add_name } for pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1 Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.661:687): avc: denied { write } for pid=8509 comm="qemu-system-x86" name="lib" dev="dm-4" ino=2621830 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1 Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc: denied { create } for pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=sock_file permissive=1 Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc: denied { add_name } for pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1 Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc: denied { write } for pid=8509 comm="qemu-system-x86" name="lib" dev="dm-4" ino=2621830 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1 Sep 15 09:30:35 falcon.thewalter.lan audit: <audit-1327> proctitle=2F62696E2F7368002F7573722F62696E2F71656D752D6B766D002D6E616D6500677565737466732D6D62366765616D763976786B75613878002D53002D6D616368696E650070632D6934343066782D322E332C616363656C3D6B766D2C7573623D6F6666002D63707500686F7374002D6D00353030002D7265616C74696D65 Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1300> arch=c000003e syscall=59 success=yes exit=0 a0=7f1154003750 a1=7f1154009370 a2=7f1154008a90 a3=8 items=0 ppid=1 pid=8509 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 key=(null) Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc: denied { append } for pid=8509 comm="qemu-kvm" path="/home/stef/.cache/libvirt/qemu/log/guestfs-mb6geamv9vxkua8x.log" dev="dm-4" ino=2884577 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=file permissive=1 Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1327 audit(1442302235.595:686): proctitle=2F62696E2F7368002F7573722F62696E2F71656D752D6B766D002D6E616D6500677565737466732D6D62366765616D763976786B75613878002D53002D6D616368696E650070632D6934343066782D322E332C616363656C3D6B766D2C7573623D6F6666002D63707500686F7374002D6D00353030002D7265616C74696D65 Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1300 audit(1442302235.595:686): arch=c000003e syscall=59 success=yes exit=0 a0=7f1154003750 a1=7f1154009370 a2=7f1154008a90 a3=8 items=0 ppid=1 pid=8509 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 key=(null) Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.595:686): avc: denied { append } for pid=8509 comm="qemu-kvm" path="/home/stef/.cache/libvirt/qemu/log/guestfs-mb6geamv9vxkua8x.log" dev="dm-4" ino=2884577 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=file permissive=1 Sep 15 09:30:35 falcon.thewalter.lan kernel: audit_printk_skb: 3 callbacks suppressed Sep 15 09:30:35 falcon.thewalter.lan libvirtd[8345]: Domain id=3 name='guestfs-mb6geamv9vxkua8x' uuid=01f80b77-e417-4798-9f78-07967dbb0ee2 is tainted: host-cpu Sep 15 09:30:35 falcon.thewalter.lan libvirtd[8345]: Domain id=3 name='guestfs-mb6geamv9vxkua8x' uuid=01f80b77-e417-4798-9f78-07967dbb0ee2 is tainted: custom-argv Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-128.8.fc22.noarch libguestfs-tools-c-1.30.0-1.fc22.x86_64 How reproducible: Every time Steps to Reproduce: Don't run this as root: 1. cd ~ 2. virt-builder fedora-22 --output cockpit-fedora-22-x86_64-21.qcow2 --size 8G --format qcow2 --arch x86_64 Actual results: $ virt-builder fedora-22 --output cockpit-fedora-22-x86_64-21.qcow2 --size 8G --format qcow2 --arch x86_64 [ 1,1] Downloading: http://libguestfs.org/download/builder/fedora-22.xz [ 1,6] Planning how to build this image [ 1,6] Uncompressing [ 6,3] Resizing (using virt-resize) to expand the disk to 8,0G virt-resize: error: libguestfs error: could not create appliance through libvirt. Try running qemu directly without libvirt using this environment variable: export LIBGUESTFS_BACKEND=direct Original error from libvirt: internal error: process exited while connecting to monitor: [code=1 domain=10] If reporting bugs, run virt-resize with debugging enabled and include the complete output: virt-resize -v -x [...] Expected results: No failure. Additional info: The goggles, they do nothing: No output from the following commands: $ sudo restorecon -R -v /home/stef/.cache/libvirt/qemu/log/guestfs-mb6geamv9vxkua8x.log $ sudo restorecon -R -v /home/stef/.cache/libvirt/qemu/log/ $ sudo restorecon -R -v /home/stef/.cache/libvirt/qemu/ $ sudo restorecon -R -v /home/stef/.cache/libvirt/ $ sudo restorecon -R -v /home/stef/.cache/
The operation completes successfully when virt-builder is run as root.
The following environment variable is a workaround as suggested in the error message: LIBGUESTFS_BACKEND=direct
(In reply to Stef Walter from comment #2) > The following environment variable is a workaround as suggested in the error > message: > > LIBGUESTFS_BACKEND=direct This just causes it to run qemu directly, so no libvirt, so no SELinux. BTW it works fine for me. I'm using: selinux-policy-targeted-3.13.1-128.12.fc22.noarch libguestfs-tools-c-1.31.5-1.fc24.x86_64 libvirt-1.2.17-2.fc24.x86_64
Upgrading to selinux-policy-3.13.1-128.12.fc22.noarch fixed the issue. Thanks for the help Richard.