1263125 – virt-builder fails due to SELinux

Bug 1263125 - virt-builder fails due to SELinux

Summary: virt-builder fails due to SELinux

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-15 07:44 UTC by Stef Walter
Modified:	2015-09-15 08:37 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.13.1-128.12.fc22.noarch
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-15 08:37:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stef Walter 2015-09-15 07:44:09 UTC

Description of problem:

The following command fails with selinux enabled.

virt-builder fedora-22 --output cockpit-fedora-22-x86_64-21.qcow2 --size 8G --format qcow2 --arch x86_64


Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1327 audit(1442302235.661:687): proctitle=2F62696E2F7368002F7573722F62696E2F71656D752D6B766D002D6E616D6500677565737466732D6D62366765616D763976786B75613878002D53002D6D616368696E650070632D6934343066782D322E332C616363656C3D6B766D2C7573623D6F6666002D63707500686F7374002D6D00353030002D7265616C74696D65
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1300 audit(1442302235.661:687): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7ffdab51b5e0 a2=6e a3=672f62696c2f756d items=0 ppid=1 pid=8509 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 key=(null)
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.661:687): avc:  denied  { create } for  pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=sock_file permissive=1
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.661:687): avc:  denied  { add_name } for  pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.661:687): avc:  denied  { write } for  pid=8509 comm="qemu-system-x86" name="lib" dev="dm-4" ino=2621830 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1
Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc:  denied  { create } for  pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=sock_file permissive=1
Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc:  denied  { add_name } for  pid=8509 comm="qemu-system-x86" name="guestfs-mb6geamv9vxkua8x.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1
Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc:  denied  { write } for  pid=8509 comm="qemu-system-x86" name="lib" dev="dm-4" ino=2621830 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1
Sep 15 09:30:35 falcon.thewalter.lan audit: <audit-1327> proctitle=2F62696E2F7368002F7573722F62696E2F71656D752D6B766D002D6E616D6500677565737466732D6D62366765616D763976786B75613878002D53002D6D616368696E650070632D6934343066782D322E332C616363656C3D6B766D2C7573623D6F6666002D63707500686F7374002D6D00353030002D7265616C74696D65
Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1300> arch=c000003e syscall=59 success=yes exit=0 a0=7f1154003750 a1=7f1154009370 a2=7f1154008a90 a3=8 items=0 ppid=1 pid=8509 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 key=(null)
Sep 15 09:30:35 falcon.thewalter.lan audit[8509]: <audit-1400> avc:  denied  { append } for  pid=8509 comm="qemu-kvm" path="/home/stef/.cache/libvirt/qemu/log/guestfs-mb6geamv9vxkua8x.log" dev="dm-4" ino=2884577 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=file permissive=1
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1327 audit(1442302235.595:686): proctitle=2F62696E2F7368002F7573722F62696E2F71656D752D6B766D002D6E616D6500677565737466732D6D62366765616D763976786B75613878002D53002D6D616368696E650070632D6934343066782D322E332C616363656C3D6B766D2C7573623D6F6666002D63707500686F7374002D6D00353030002D7265616C74696D65
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1300 audit(1442302235.595:686): arch=c000003e syscall=59 success=yes exit=0 a0=7f1154003750 a1=7f1154009370 a2=7f1154008a90 a3=8 items=0 ppid=1 pid=8509 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 key=(null)
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit: type=1400 audit(1442302235.595:686): avc:  denied  { append } for  pid=8509 comm="qemu-kvm" path="/home/stef/.cache/libvirt/qemu/log/guestfs-mb6geamv9vxkua8x.log" dev="dm-4" ino=2884577 scontext=unconfined_u:unconfined_r:svirt_t:s0:c337,c506 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=file permissive=1
Sep 15 09:30:35 falcon.thewalter.lan kernel: audit_printk_skb: 3 callbacks suppressed
Sep 15 09:30:35 falcon.thewalter.lan libvirtd[8345]: Domain id=3 name='guestfs-mb6geamv9vxkua8x' uuid=01f80b77-e417-4798-9f78-07967dbb0ee2 is tainted: host-cpu
Sep 15 09:30:35 falcon.thewalter.lan libvirtd[8345]: Domain id=3 name='guestfs-mb6geamv9vxkua8x' uuid=01f80b77-e417-4798-9f78-07967dbb0ee2 is tainted: custom-argv

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-128.8.fc22.noarch
libguestfs-tools-c-1.30.0-1.fc22.x86_64

How reproducible:

Every time

Steps to Reproduce:

Don't run this as root:

1. cd ~
2. virt-builder fedora-22 --output cockpit-fedora-22-x86_64-21.qcow2 --size 8G --format qcow2 --arch x86_64


Actual results:

$ virt-builder fedora-22 --output cockpit-fedora-22-x86_64-21.qcow2 --size 8G --format qcow2 --arch x86_64
[   1,1] Downloading: http://libguestfs.org/download/builder/fedora-22.xz
[   1,6] Planning how to build this image
[   1,6] Uncompressing
[   6,3] Resizing (using virt-resize) to expand the disk to 8,0G
virt-resize: error: libguestfs error: could not create appliance through 
libvirt.

Try running qemu directly without libvirt using this environment variable:
export LIBGUESTFS_BACKEND=direct

Original error from libvirt: internal error: process exited while 
connecting to monitor:  [code=1 domain=10]

If reporting bugs, run virt-resize with debugging enabled and include the 
complete output:

  virt-resize -v -x [...]

Expected results:

No failure.

Additional info: The goggles, they do nothing:

No output from the following commands:

$ sudo restorecon -R -v /home/stef/.cache/libvirt/qemu/log/guestfs-mb6geamv9vxkua8x.log
$ sudo restorecon -R -v /home/stef/.cache/libvirt/qemu/log/
$ sudo restorecon -R -v /home/stef/.cache/libvirt/qemu/
$ sudo restorecon -R -v /home/stef/.cache/libvirt/
$ sudo restorecon -R -v /home/stef/.cache/

Comment 1 Stef Walter 2015-09-15 07:45:44 UTC

The operation completes successfully when virt-builder is run as root.

Comment 2 Stef Walter 2015-09-15 07:47:01 UTC

The following environment variable is a workaround as suggested in the error message:

LIBGUESTFS_BACKEND=direct

Comment 3 Richard W.M. Jones 2015-09-15 07:57:09 UTC

(In reply to Stef Walter from comment #2)
> The following environment variable is a workaround as suggested in the error
> message:
> 
> LIBGUESTFS_BACKEND=direct

This just causes it to run qemu directly, so no libvirt, so no SELinux.

BTW it works fine for me.  I'm using:
selinux-policy-targeted-3.13.1-128.12.fc22.noarch
libguestfs-tools-c-1.31.5-1.fc24.x86_64
libvirt-1.2.17-2.fc24.x86_64

Comment 4 Stef Walter 2015-09-15 08:37:14 UTC

Upgrading to selinux-policy-3.13.1-128.12.fc22.noarch fixed the issue. Thanks for the help Richard.

Note You need to log in before you can comment on or make changes to this bug.