Bug 1285459 - SELinux is preventing qemu-system-x86 from read access on new VM
SELinux is preventing qemu-system-x86 from read access on new VM
Product: Fedora
Classification: Fedora
Component: virt-manager (Show other bugs)
x86_64 Linux
high Severity medium
: ---
: ---
Assigned To: Cole Robinson
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-11-25 11:14 EST by Patrick Laimbock
Modified: 2016-03-30 05:27 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-03-30 05:27:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Patrick Laimbock 2015-11-25 11:14:08 EST
Description of problem:
When creating a new VM with virt-manager, starting the VM hangs with a black screen because SELinux is preventing qemu-system-x86 from read access to the new VM possible because of a wrong "svirt_image_t" label.

Version-Release number of selected component (if applicable):




How reproducible:
Open virt-manager, select File -> New Virtual Machine
Select PXE boot with defaults for the rest and when installation starts a new VM window pops up which is black. An SELinux notification pops up withthese details:

SELinux is preventing qemu-system-x86 from read access on the file zzz.qcow2.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed read access on the zzz.qcow2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c41,c601
Target Context                system_u:object_r:svirt_image_t:s0:c205,c554
Target Objects                zzz.qcow2 [ file ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          plato.just.local
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     plato.just.local
Platform                      Linux plato.just.local 4.2.6-300.fc23.x86_64 #1
                              SMP Tue Nov 10 19:32:21 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-11-25 15:52:58 CET
Last Seen                     2015-11-25 15:52:58 CET
Local ID                      9e3ebca0-5704-43ca-9afd-46ed26f93906

Raw Audit Messages
type=AVC msg=audit(1448463178.162:4595): avc:  denied  { read } for  pid=5302 comm="qemu-system-x86" name="zzz.qcow2" dev="md127" ino=36700175 scontext=unconfined_u:unconfined_r:svirt_t:s0:c41,c601 tcontext=system_u:object_r:svirt_image_t:s0:c205,c554 tclass=file permissive=0

Hash: qemu-system-x86,svirt_t,svirt_image_t,file,read

Steps to Reproduce:
1. open virt-manager
2. create a new VM with PXE boot and defaults for the rest
3. on installation get a VM window that's black and stays like that forever

Actual results:
Failure to create a new VM

Expected results:
Successful creation of VM

Additional info:
The box running F23 x86_64 was installed from the Live iso image and subsequently updated. If you have any questions please let me know. Thanks!
Comment 1 Lukas Vrabec 2016-03-16 10:54:11 EDT
virt-manager folks, 
Do we know whats going on here? 

Thank you.
Comment 2 Cole Robinson 2016-03-16 18:06:36 EDT
Where is zzz.qcow2 stored?
Is that file being used by other VMs as well?
Comment 3 Patrick Laimbock 2016-03-30 05:27:40 EDT
The test box where this occurred was unfortunately repurposed. The issue could not be reproduced on a fresh F23 box with latest updates. Closing.

Note You need to log in before you can comment on or make changes to this bug.