Bug 1284392 - SELinux is preventing qemu-system-x86 from using the 'execmem' accesses on a process.
SELinux is preventing qemu-system-x86 from using the 'execmem' accesses on a ...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: setroubleshoot-plugins (Show other bugs)
23
x86_64 Unspecified
medium Severity low
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
abrt_hash:ac65e9d2c4559f1e3eef8263e1e...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-23 03:47 EST by cutnioff
Modified: 2016-12-20 11:12 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-20 11:11:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit/audit.log (1.66 MB, text/plain)
2015-11-24 07:48 EST, cutnioff
no flags Details
VM config (3.83 KB, text/plain)
2016-01-15 09:52 EST, Brian J. Murrell
no flags Details
VM log (58.53 KB, text/plain)
2016-01-15 09:52 EST, Brian J. Murrell
no flags Details

  None (edit)
Description cutnioff 2015-11-23 03:47:56 EST
Version-Release number of selected component:
selinux-policy-3.13.1-154.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-300.fc23.x86_64
type:           libreport

Potential duplicate: bug 799169
Comment 1 Lukas Vrabec 2015-11-23 04:07:11 EST
Hi, 
We have no info about your issue. Could you please attach log from "/var/log/audit/audit.log" ? 

I'm closing this for now, but feel free to re-open this issue with related logs.

Thank you.
Comment 2 cutnioff 2015-11-24 07:48 EST
Created attachment 1098182 [details]
/var/log/audit/audit.log
Comment 3 cutnioff 2015-11-24 07:50:39 EST
(In reply to Lukas Vrabec from comment #1)
> Hi, 
> We have no info about your issue. Could you please attach log from
> "/var/log/audit/audit.log" ? 
> 
> I'm closing this for now, but feel free to re-open this issue with related
> logs.
> 
> Thank you.

You can open the topic now. Attach is here.
Comment 4 Lukas Vrabec 2015-11-24 07:55:15 EST
Use:
#sudo setsebool -P virt_use_execmem=1

To fix your issue.
Comment 5 Brian J. Murrell 2016-01-05 06:46:25 EST
(In reply to Lukas Vrabec from comment #4)
> Use:
> #sudo setsebool -P virt_use_execmem=1

But what does this do/allow exactly?  Surely this is not something that is all right to do in all situations or it would just be the default, yes?

Generally speaking, I find this of all of the "setsebool" suggestions.  They always just say to set it but not what the consequences of setting it are.  Some better information there would be helpful.
Comment 6 Daniel Walsh 2016-01-05 08:28:52 EST
Using standard kvm vm's does not require qumu to have execmem privilege.  execmem blocks certain attack vectors (Buffer Overlflow attack where the hacked process is able overwrite memory and then execute the code it wrote).  

When using different qemu emulators that do not use kvm, the emulators require execmem to work.  So you have to loosen the policy slightly to allow the access.  So turning on this boolean could allow a hacked qumu process that was susceptable to buffer overflow attack to not be blocked by SELinux.

Not lots of other SELinux blocks would still be in effect.

Since most people use kvm for VM's we disable it by default.
Comment 7 Daniel Walsh 2016-01-05 09:05:51 EST
Expanded this in a blog.

http://danwalsh.livejournal.com/73611.html
Comment 8 Brian J. Murrell 2016-01-14 10:24:33 EST
@Daniel: Yeah, so what's interesting here then (and makes me glad I asked questions) is that I also only use KVM.  So how did I get this AVC?
Comment 9 Brian J. Murrell 2016-01-14 10:24:55 EST
Going to reopen given the previous comment.
Comment 10 Daniel Walsh 2016-01-15 08:58:02 EST
Brian what avc did you get?
Comment 11 Brian J. Murrell 2016-01-15 09:19:34 EST
I delete them from the GUI tool once I report them, but looking in audit.log it looks like:

type=AVC msg=audit(1449586668.433:5031): avc:  denied  { execmem } for  pid=21265 comm="qemu-system-x86" scontext=system_u:system_r:svirt_t:s0:c390,c401 tcontext=system_u:system_r:svirt_t:s0:c390,c401 tclass=process permissive=0
Comment 12 Daniel Walsh 2016-01-15 09:26:45 EST
Right that shows you are running an x86 qemu rather then the standard kvm qemu.  The problem here is this should be run with a different type.  Dan Berange, says on my blog that libvirt is supposed to launch these qemu instances with a different type svirt_tgt_t, which would allow this access.  I have added him to the CC to see if he has any comment.
Comment 13 Daniel Berrange 2016-01-15 09:38:57 EST
(In reply to Daniel Walsh from comment #12)
> Right that shows you are running an x86 qemu rather then the standard kvm
> qemu. 

That's not actually a problem - the regular x86 QEMU should have KVM support enabled.  What we really require here is the /etc/libvirt/qemu/$GUEST.xml file and the corresponding /var/log/libvirt/qemu/$GUEST.log file for the instance that causes the AVC, so we can see how its configured.
Comment 14 Brian J. Murrell 2016-01-15 09:52 EST
Created attachment 1115174 [details]
VM config
Comment 15 Brian J. Murrell 2016-01-15 09:52 EST
Created attachment 1115175 [details]
VM log
Comment 16 Brian J. Murrell 2016-01-19 14:23:39 EST
Were my log attachments helpful?
Comment 17 Daniel Berrange 2016-01-21 09:11:56 EST
The XML configuration shows it is requesting KVM:

<domain type='kvm'>

And the logfile shows that KVM is being turned on when launching QEMU, and fallback TCG is not enabled

-machine pc-i440fx-2.3,accel=kvm,usb=off

So QEMU is running with KVM, and as such should *not* require 'execmem' privilege.

So there is something else going on here. Can you show the output of 

$ ldd /usr/bin/qemu-kvm
Comment 18 Brian J. Murrell 2016-01-21 10:14:27 EST
$ ldd /usr/bin/qemu-kvm
	not a dynamic executable
$ cat /usr/bin/qemu-kvm
#!/bin/sh

exec /usr/bin/qemu-system-x86_64 -machine accel=kvm "$@"
$ ldd /usr/bin/qemu-system-x86_64
	linux-vdso.so.1 (0x00007ffc325e6000)
	libssl3.so => /lib64/libssl3.so (0x00007fe33f750000)
	libsmime3.so => /lib64/libsmime3.so (0x00007fe33f529000)
	libnss3.so => /lib64/libnss3.so (0x00007fe33f201000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007fe33efd4000)
	libplds4.so => /lib64/libplds4.so (0x00007fe33edd0000)
	libplc4.so => /lib64/libplc4.so (0x00007fe33ebca000)
	libnspr4.so => /lib64/libnspr4.so (0x00007fe33e98b000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe33e76e000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fe33e569000)
	libgthread-2.0.so.0 => /lib64/libgthread-2.0.so.0 (0x00007fe33e367000)
	libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x00007fe33e02e000)
	libGL.so.1 => /usr/lib64/nvidia/libGL.so.1 (0x00007fe33dcf9000)
	libGLESv2.so.2 => /usr/lib64/nvidia/libGLESv2.so.2 (0x00007fe33dae6000)
	libepoxy.so.0 => /lib64/libepoxy.so.0 (0x00007fe33d7e9000)
	libEGL.so.1 => /usr/lib64/nvidia/libEGL.so.1 (0x00007fe33d5e3000)
	libX11.so.6 => /lib64/libX11.so.6 (0x00007fe33d2a3000)
	libz.so.1 => /lib64/libz.so.1 (0x00007fe33d08d000)
	libaio.so.1 => /lib64/libaio.so.1 (0x00007fe33ce8a000)
	libiscsi.so.4 => /usr/lib64/iscsi/libiscsi.so.4 (0x00007fe33cc65000)
	libcurl.so.4 => /lib64/libcurl.so.4 (0x00007fe33c9eb000)
	librbd.so.1 => /lib64/librbd.so.1 (0x00007fe33a431000)
	librados.so.2 => /lib64/librados.so.2 (0x00007fe337ed9000)
	libacl.so.1 => /lib64/libacl.so.1 (0x00007fe337cd0000)
	libgfapi.so.0 => /lib64/libgfapi.so.0 (0x00007fe337aaf000)
	libglusterfs.so.0 => /lib64/libglusterfs.so.0 (0x00007fe3377e4000)
	libgfrpc.so.0 => /lib64/libgfrpc.so.0 (0x00007fe3375c8000)
	libgfxdr.so.0 => /lib64/libgfxdr.so.0 (0x00007fe3373af000)
	libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fe3371aa000)
	libssh2.so.1 => /lib64/libssh2.so.1 (0x00007fe336f7e000)
	libbz2.so.1 => /lib64/libbz2.so.1 (0x00007fe336d6d000)
	libpixman-1.so.0 => /lib64/libpixman-1.so.0 (0x00007fe336ac5000)
	libutil.so.1 => /lib64/libutil.so.1 (0x00007fe3368c2000)
	libnuma.so.1 => /lib64/libnuma.so.1 (0x00007fe3366b6000)
	libbluetooth.so.3 => /lib64/libbluetooth.so.3 (0x00007fe336494000)
	libncurses.so.5 => /lib64/libncurses.so.5 (0x00007fe33626e000)
	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007fe336043000)
	libbrlapi.so.0.6 => /lib64/libbrlapi.so.0.6 (0x00007fe335e37000)
	libasound.so.2 => /lib64/libasound.so.2 (0x00007fe335b4d000)
	libpulse.so.0 => /lib64/libpulse.so.0 (0x00007fe3358fb000)
	libpng16.so.16 => /lib64/libpng16.so.16 (0x00007fe3356c8000)
	libjpeg.so.62 => /lib64/libjpeg.so.62 (0x00007fe33546f000)
	libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007fe335251000)
	libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007fe334f1e000)
	libSDL2-2.0.so.0 => /lib64/libSDL2-2.0.so.0 (0x00007fe334c1e000)
	libvte2_90.so.9 => /lib64/libvte2_90.so.9 (0x00007fe334976000)
	libgtk-3.so.0 => /lib64/libgtk-3.so.0 (0x00007fe334052000)
	libgdk-3.so.0 => /lib64/libgdk-3.so.0 (0x00007fe333d84000)
	libpangocairo-1.0.so.0 => /lib64/libpangocairo-1.0.so.0 (0x00007fe333b76000)
	libpango-1.0.so.0 => /lib64/libpango-1.0.so.0 (0x00007fe33392b000)
	libatk-1.0.so.0 => /lib64/libatk-1.0.so.0 (0x00007fe333705000)
	libcairo-gobject.so.2 => /lib64/libcairo-gobject.so.2 (0x00007fe3334fb000)
	libgdk_pixbuf-2.0.so.0 => /lib64/libgdk_pixbuf-2.0.so.0 (0x00007fe3332d5000)
	libgio-2.0.so.0 => /lib64/libgio-2.0.so.0 (0x00007fe332f55000)
	libgobject-2.0.so.0 => /lib64/libgobject-2.0.so.0 (0x00007fe332d02000)
	libcairo.so.2 => /lib64/libcairo.so.2 (0x00007fe3329d9000)
	libXext.so.6 => /lib64/libXext.so.6 (0x00007fe3327c7000)
	libnettle.so.6 => /lib64/libnettle.so.6 (0x00007fe33258f000)
	libxenstore.so.3.0 => /lib64/libxenstore.so.3.0 (0x00007fe332385000)
	libxenctrl.so.4.5 => /lib64/libxenctrl.so.4.5 (0x00007fe33215a000)
	libxenguest.so.4.5 => /lib64/libxenguest.so.4.5 (0x00007fe331f2c000)
	libseccomp.so.2 => /lib64/libseccomp.so.2 (0x00007fe331d00000)
	librdmacm.so.1 => /lib64/librdmacm.so.1 (0x00007fe331aea000)
	libibverbs.so.1 => /lib64/libibverbs.so.1 (0x00007fe3318d6000)
	libfdt.so.1 => /lib64/libfdt.so.1 (0x00007fe3316d0000)
	libspice-server.so.1 => /lib64/libspice-server.so.1 (0x00007fe3313a0000)
	libusb-1.0.so.0 => /lib64/libusb-1.0.so.0 (0x00007fe331186000)
	libusbredirparser.so.1 => /lib64/libusbredirparser.so.1 (0x00007fe330f7e000)
	libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 (0x00007fe330d09000)
	librt.so.1 => /lib64/librt.so.1 (0x00007fe330b00000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fe33077e000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fe33047c000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fe330264000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fe32fea3000)
	/lib64/ld-linux-x86-64.so.2 (0x00005646e2da6000)
	libnvidia-tls.so.358.16 => /usr/lib64/nvidia/tls/libnvidia-tls.so.358.16 (0x00007fe32fc9e000)
	libnvidia-glcore.so.358.16 => /usr/lib64/nvidia/libnvidia-glcore.so.358.16 (0x00007fe32e03d000)
	libGLdispatch.so.0 => /usr/lib64/nvidia/libGLdispatch.so.0 (0x00007fe32dda5000)
	libxcb.so.1 => /lib64/libxcb.so.1 (0x00007fe32db82000)
	libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007fe32d89d000)
	libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007fe32d67c000)
	libidn.so.11 => /lib64/libidn.so.11 (0x00007fe32d447000)
	libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe32d1f9000)
	libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe32cf12000)
	libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe32ccdf000)
	libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe32cadb000)
	liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fe32c8cc000)
	libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fe32c679000)
	libboost_thread.so.1.58.0 => /lib64/libboost_thread.so.1.58.0 (0x00007fe32c452000)
	libboost_system.so.1.58.0 => /lib64/libboost_system.so.1.58.0 (0x00007fe32c24d000)
	libatomic_ops.so.1 => /lib64/libatomic_ops.so.1 (0x00007fe32c04a000)
	libattr.so.1 => /lib64/libattr.so.1 (0x00007fe32be44000)
	libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe32b9e8000)
	libssl.so.10 => /lib64/libssl.so.10 (0x00007fe32b76f000)
	libpulsecommon-7.1.so => /usr/lib64/pulseaudio/libpulsecommon-7.1.so (0x00007fe32b4ee000)
	libX11-xcb.so.1 => /lib64/libX11-xcb.so.1 (0x00007fe32b2ec000)
	libICE.so.6 => /lib64/libICE.so.6 (0x00007fe32b0d0000)
	libSM.so.6 => /lib64/libSM.so.6 (0x00007fe32aec6000)
	libXtst.so.6 => /lib64/libXtst.so.6 (0x00007fe32acc0000)
	libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fe32ac38000)
	libjson-c.so.2 => /lib64/libjson-c.so.2 (0x00007fe32aa2c000)
	libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fe32a821000)
	libsndfile.so.1 => /lib64/libsndfile.so.1 (0x00007fe32a5c1000)
	libasyncns.so.0 => /lib64/libasyncns.so.0 (0x00007fe32a3ba000)
	libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007fe32a16a000)
	libcap.so.2 => /lib64/libcap.so.2 (0x00007fe329f65000)
	libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe329d49000)
	libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fe329b13000)
	libp11-kit.so.0 => /lib64/libp11-kit.so.0 (0x00007fe3298ad000)
	libtasn1.so.6 => /lib64/libtasn1.so.6 (0x00007fe329699000)
	libhogweed.so.4 => /lib64/libhogweed.so.4 (0x00007fe32946d000)
	libgmp.so.10 => /lib64/libgmp.so.10 (0x00007fe3291f5000)
	libgmodule-2.0.so.0 => /lib64/libgmodule-2.0.so.0 (0x00007fe328ff0000)
	libXi.so.6 => /lib64/libXi.so.6 (0x00007fe328de0000)
	libXfixes.so.3 => /lib64/libXfixes.so.3 (0x00007fe328bda000)
	libatk-bridge-2.0.so.0 => /lib64/libatk-bridge-2.0.so.0 (0x00007fe3289a9000)
	libpangoft2-1.0.so.0 => /lib64/libpangoft2-1.0.so.0 (0x00007fe328793000)
	libfontconfig.so.1 => /lib64/libfontconfig.so.1 (0x00007fe32854f000)
	libXinerama.so.1 => /lib64/libXinerama.so.1 (0x00007fe32834b000)
	libXrandr.so.2 => /lib64/libXrandr.so.2 (0x00007fe328140000)
	libXcursor.so.1 => /lib64/libXcursor.so.1 (0x00007fe327f35000)
	libXcomposite.so.1 => /lib64/libXcomposite.so.1 (0x00007fe327d31000)
	libXdamage.so.1 => /lib64/libXdamage.so.1 (0x00007fe327b2e000)
	libxkbcommon.so.0 => /lib64/libxkbcommon.so.0 (0x00007fe3278ee000)
	libwayland-cursor.so.0 => /lib64/libwayland-cursor.so.0 (0x00007fe3276e5000)
	libwayland-egl.so.1 => /lib64/libwayland-egl.so.1 (0x00007fe3274e3000)
	libwayland-client.so.0 => /lib64/libwayland-client.so.0 (0x00007fe3272d5000)
	libthai.so.0 => /lib64/libthai.so.0 (0x00007fe3270cb000)
	libharfbuzz.so.0 => /lib64/libharfbuzz.so.0 (0x00007fe326e69000)
	libfreetype.so.6 => /lib64/libfreetype.so.6 (0x00007fe326bbe000)
	libxcb-shm.so.0 => /lib64/libxcb-shm.so.0 (0x00007fe3269ba000)
	libxcb-render.so.0 => /lib64/libxcb-render.so.0 (0x00007fe3267af000)
	libXrender.so.1 => /lib64/libXrender.so.1 (0x00007fe3265a4000)
	libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe326380000)
	libffi.so.6 => /lib64/libffi.so.6 (0x00007fe326178000)
	liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fe325f51000)
	libnl-route-3.so.200 => /lib64/libnl-route-3.so.200 (0x00007fe325ceb000)
	libnl-3.so.200 => /lib64/libnl-3.so.200 (0x00007fe325aca000)
	libcacard.so.0 => /lib64/libcacard.so.0 (0x00007fe3258bd000)
	libcelt051.so.0 => /lib64/libcelt051.so.0 (0x00007fe3256ae000)
	libopus.so.0 => /lib64/libopus.so.0 (0x00007fe325461000)
	libudev.so.1 => /lib64/libudev.so.1 (0x00007fe32543f000)
	libunwind.so.8 => /lib64/libunwind.so.8 (0x00007fe325226000)
	libXau.so.6 => /lib64/libXau.so.6 (0x00007fe325021000)
	libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fe324e0d000)
	libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe324bfe000)
	libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe3249f9000)
	libdw.so.1 => /lib64/libdw.so.1 (0x00007fe3247af000)
	libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fe324596000)
	libgsm.so.1 => /lib64/libgsm.so.1 (0x00007fe32438a000)
	libFLAC.so.8 => /lib64/libFLAC.so.8 (0x00007fe32412f000)
	libvorbisenc.so.2 => /lib64/libvorbisenc.so.2 (0x00007fe323e86000)
	libfreebl3.so => /lib64/libfreebl3.so (0x00007fe323c09000)
	libatspi.so.0 => /lib64/libatspi.so.0 (0x00007fe3239d7000)
	libexpat.so.1 => /lib64/libexpat.so.1 (0x00007fe3237ad000)
	libdatrie.so.1 => /lib64/libdatrie.so.1 (0x00007fe3235a4000)
	libgraphite2.so.3 => /lib64/libgraphite2.so.3 (0x00007fe323387000)
	libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe323116000)
	libelf.so.1 => /lib64/libelf.so.1 (0x00007fe322f00000)
	libogg.so.0 => /lib64/libogg.so.0 (0x00007fe322cf8000)
	libvorbis.so.0 => /lib64/libvorbis.so.0 (0x00007fe322acb000)
Comment 19 Daniel Berrange 2016-01-21 10:38:28 EST
(In reply to Brian J. Murrell from comment #18)
> $ ldd /usr/bin/qemu-kvm
> 	not a dynamic executable
> $ cat /usr/bin/qemu-kvm
> #!/bin/sh
> 
> exec /usr/bin/qemu-system-x86_64 -machine accel=kvm "$@"
> $ ldd /usr/bin/qemu-system-x86_64

> 	libGLESv2.so.2 => /usr/lib64/nvidia/libGLESv2.so.2 (0x00007fe33dae6000)
> 	libEGL.so.1 => /usr/lib64/nvidia/libEGL.so.1 (0x00007fe33d5e3000)


This will be the cause of the problem.

The closed source / proprietary nvidia drivers have replaced the mesa GL libraries with their own versions. These libraries are known to require execmem. Despite the fact that QEMU will not actually use this GL functionality, merely having the nvidia libraries linked into the address space is enough to trigger the execmem errors.

There's not really anything libvirt/qemu can do about this and we certainly don't want to allow this in the default policy for sVirt. So anyone with nvidia drivers pretty much just has to run

#sudo setsebool -P virt_use_execmem=1


Perhaps setroubleshoot could look for presence of the nvidia libraries and provide a suitable message to users in this case
Comment 20 Daniel Berrange 2016-01-21 10:39:52 EST
This was previously reported many times - most recent I remember is https://bugzilla.redhat.com/show_bug.cgi?id=1159823
Comment 21 Daniel Walsh 2016-01-21 10:43:55 EST
Is this something we should dontaudit by default, or at least add a boolean to dontaudit.
Comment 22 Daniel Berrange 2016-01-21 10:53:48 EST
(In reply to Daniel Walsh from comment #21)
> Is this something we should dontaudit by default, or at least add a boolean
> to dontaudit.

I think it certainly *should* be audited by default as in general it could be a sign of something seriously wrong and thus I think admins should see it.

I don't see much point in a boolean for donaudit - nvidia users might as well use the existing warning to permit execmem
Comment 23 Daniel Walsh 2016-01-21 10:55:31 EST
Ok then we should work on the text in setroubleshoot, or work on a plugin that can detect the presence of nvidia to tell the user what is going on.
Comment 24 Javier Zapata 2016-02-20 05:49:34 EST
Description of problem:
Download the latest Manjaro ISO and load it up in Boxes app.

Version-Release number of selected component:
selinux-policy-3.13.1-158.6.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 25 Peque 2016-02-24 12:24:43 EST
Description of problem:
Just launched a virtual machine with GNOME Boxes.

Version-Release number of selected component:
selinux-policy-3.13.1-158.6.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 26 Alex Thomas 2016-03-05 20:37:53 EST
Description of problem:
Ran gnome-boxes. SELinux Troubleshooter came up.

Version-Release number of selected component:
selinux-policy-3.13.1-158.9.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.3-300.fc23.x86_64
type:           libreport
Comment 27 autarch princeps 2016-03-21 17:30:53 EDT
Description of problem:
Starting VM with virt-manager

Version-Release number of selected component:
selinux-policy-3.13.1-158.9.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.5-300.fc23.x86_64
type:           libreport
Comment 28 autarch princeps 2016-04-05 08:35:49 EDT
Description of problem:
Starting VM in virt-manager.

Version-Release number of selected component:
selinux-policy-3.13.1-158.12.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.6-301.fc23.x86_64
type:           libreport
Comment 29 Fedora End Of Life 2016-11-24 08:39:19 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 30 Fedora End Of Life 2016-12-20 11:11:27 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.