Description of problem: I tried creating a new VM with GNOME Boxes. SELinux is preventing qemu-system-x86 from 'write' accesses on the directory lib. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow qemu-system-x86 to have write access on the lib directory Then you need to change the label on lib Do # semanage fcontext -a -t FILE_TYPE 'lib' where FILE_TYPE is one of the following: dosfs_t, hugetlbfs_t, qemu_var_run_t, svirt_home_t, svirt_image_t, svirt_tmp_t, svirt_tmpfs_t, tmp_t, tmpfs_t, user_tmp_t, var_run_t, var_t, virt_cache_t, virt_home_t. Then execute: restorecon -v 'lib' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that qemu-system-x86 should be allowed write access on the lib directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:svirt_t:s0:c244,c283 Target Context unconfined_u:object_r:unlabeled_t:s0 Target Objects lib [ dir ] Source qemu-system-x86 Source Path qemu-system-x86 Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.2-35.fc23.x86_64 Policy RPM selinux-policy-3.13.1-152.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.3-300.fc23.x86_64 #1 SMP Mon Oct 5 15:42:54 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-10-27 11:11:31 CET Last Seen 2015-10-27 11:11:31 CET Local ID 011a10e3-5ac8-421b-be1e-7e79320d9ec8 Raw Audit Messages type=AVC msg=audit(1445940691.118:630): avc: denied { write } for pid=13569 comm="qemu-system-x86" name="lib" dev="sda2" ino=8913975 scontext=unconfined_u:unconfined_r:svirt_t:s0:c244,c283 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 Hash: qemu-system-x86,svirt_t,unlabeled_t,dir,write Version-Release number of selected component: selinux-policy-3.13.1-152.fc23.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.2.3-300.fc23.x86_64 type: libreport
Proposed as a Blocker for 23-final by Fedora user bochecha using the blocker tracking app because: SELinux prevents GNOME Boxes from creating a virtual machine, which I would qualify as "basic functionality" for that application. This violates the "Default application functionality" release criteria.
I tried but couldn't reproduce this. I installed clean F23 RC3 Workstation Live, then used the same ISO image to install it inside Boxes. The VM boots fine both Live and installed, no SELinux alerts. I have the same kernel and selinux-policy version as OP.
Stephen Gallagher also tried to reproduce, also received no AVCs.
*** Bug 1275607 has been marked as a duplicate of this bug. ***
*** Bug 1275605 has been marked as a duplicate of this bug. ***
I'm -1 blocker on this, since I can't reproduce it and I've tried. Also, it's worth noting that all of the files referenced in these bugs are located within the user's home directory. It's possible that something got mislabeled if this home directory was reused or is hosted on NFS, etc. But it seems that it's not an issue for a freshly-installed system.
Hi Mathieu, Did you try it on fresh installation? I believe you turn selinux off, then reboot system and then turn selinux on again. Please run: "# restorecon -R -v /" This should fix your issue. Thank you guys for testing.
(In reply to Stephen Gallagher from comment #6) > Also, it's worth noting that all of the files referenced in these bugs are > located within the user's home directory. It's possible that something got > mislabeled if this home directory was reused or is hosted on NFS, etc. But > it seems that it's not an issue for a freshly-installed system. This is fresh new install, I did not reuse the home folder, it is not on NFS. (In reply to Lukas Vrabec from comment #7) > Hi Mathieu, > > Did you try it on fresh installation? Yes. > I believe you turn selinux off, then > reboot system and then turn selinux on again. I never turned SELinux off on this system since I installed it last Thursday. I only did "setenforce 0" **after** I started running into this bug, because I needed the VM to do some work. > Please run: > "# restorecon -R -v /" Ok, I just did that. Indeed, it restored the context of some files under ~/.local/share/gnome-boxes and ~/.config/libvirt And now I don't seem to get any SELinux errors any more, so it was indeed a problem with mislabled files. I'm really wondering why those files got mislabeled, though, but I guess that's not this bug. Thanks.
How did you do your install, Mathieu?
I downloaded the latest (as of last Thursday morning, UTC+2) Workstation image from https://alt.fedoraproject.org/pub/alt/stage/?C=M;O=A Then made a live USB, and installed the usual way. Nothing special really.
If we are not able to reproduce, I would close this bug. It could be some specific/install issue which caused you got unlabeled_t for some dirs/files related to gnome-boxes and libvirt. If we get a reproducer then we will investigate further. Thanks.
mathieu: can you post the exact image filename? That's safer than me trying to guess what you would have downloaded last Thursday.