Bug 1284742 - Non-root session libvirt qemu-kvm fails to access ~/.cache/libvirt
Non-root session libvirt qemu-kvm fails to access ~/.cache/libvirt
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-23 23:54 EST by Stef Walter
Modified: 2015-12-08 06:31 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-08 06:31:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2015-11-23 23:54:58 EST
Description of problem:

When running a session libvirt (ie: not the libvirtd service) SELinux prevents qemu from writing logs or performing file access:

Nov 24 05:51:48 falcon.thewalter.lan audit[8653]: AVC avc:  denied  { append } for  pid=8653 comm="qemu-kvm" path="/data/.cache/libvirt/qemu/log/rhel-7-6p8c.log" dev="dm-4" ino=5245340 scontext=unconfined_u:unconfined_r:svirt_t:s0:c403,c854 tcontext=unconfined_u:object_r:default_t:s0 tclass=file permissive=1
Nov 24 05:51:48 falcon.thewalter.lan audit[8653]: AVC avc:  denied  { write } for  pid=8653 comm="qemu-system-x86" name="lib" dev="dm-4" ino=2621830 scontext=unconfined_u:unconfined_r:svirt_t:s0:c403,c854 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1
Nov 24 05:51:48 falcon.thewalter.lan audit[8653]: AVC avc:  denied  { add_name } for  pid=8653 comm="qemu-system-x86" name="rhel-7-6p8c.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c403,c854 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=dir permissive=1
Nov 24 05:51:48 falcon.thewalter.lan audit[8653]: AVC avc:  denied  { create } for  pid=8653 comm="qemu-system-x86" name="rhel-7-6p8c.monitor" scontext=unconfined_u:unconfined_r:svirt_t:s0:c403,c854 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=sock_file permissive=1

Version-Release number of selected component (if applicable):

libvirt-1.2.18.1-2.fc23.x86_64
selinux-policy-targeted-3.13.1-154.fc23.noarch

How reproducible:

Every day.

Steps to Reproduce:

An easy way to reproduce using the session libvirt is via the Cockpit tests:

1. git clone https://github.com/cockpit-project/cockpit
2. cd cockpit/test
3. ./vm-prep
4. ./vm-download fedora-23
5. ./vm-run fedora-23

Actual results:

Disable SELinux to do development.

Expected results:

Don't have to disable SELinux to use session libvirt.
Comment 1 Stef Walter 2015-11-24 00:02:11 EST
The following SELinux fcontext equivalences are present:

SELinux Local fcontext Equivalence 

/home/user = /data
/var/cache/libvirt = /data/.cache/libvirt
Comment 2 Daniel Walsh 2015-12-01 15:10:19 EST
restorecon -R -F -v ~/home/data/.cache
Comment 3 Stef Walter 2015-12-08 06:31:22 EST
Thanks. That did the trick.

Note You need to log in before you can comment on or make changes to this bug.