Bug 1368745 - selinux-policy-3.13.1-191.12.fc24 prevents virtual machine usage
selinux-policy-3.13.1-191.12.fc24 prevents virtual machine usage
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
x86_64 Linux
high Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
: 1368923 1369011 1369048 1369069 1369199 1369481 1369884 1369954 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-20 19:02 EDT by David H. Gutteridge
Modified: 2016-08-25 12:52 EDT (History)
83 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-191.13.fc24
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-08-25 09:53:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David H. Gutteridge 2016-08-20 19:02:55 EDT
Description of problem:

The latest selinux-policy pushed to stable for Fedora 24 prevents me from starting or creating virtual machines in some contexts. (I can still use Gnome-Boxes for simple stuff, but virt-manager doesn't work.)

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-191.12.fc24

How reproducible:

Always

Steps to Reproduce:
1. Try creating or running a virtual machine using virt-manager (or virsh, as another user reported separately on Bodhi).
2. SELinux will prevent this from happening.

Additional info:

Sample log output via journalctl:

Aug 20 02:33:25 arcusix.nonus-porta.net audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
                                                   exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Aug 20 02:33:25 arcusix.nonus-porta.net audit: ANOM_PROMISCUOUS dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295
Aug 20 02:33:25 arcusix.nonus-porta.net systemd-machined[23572]: Failed to start machine scope: Access denied
Aug 20 02:33:25 arcusix.nonus-porta.net libvirtd[1101]: SELinux policy denies access.
Aug 20 02:33:25 arcusix.nonus-porta.net virtlogd[23562]: libvirt version: 1.3.3.2, package: 1.fc24 (Fedora Project, 2016-07-19-00:36:57, buildvm-25.phx2.fedoraproject.org)

Reverting to selinux-policy-3.13.1-191.10.fc24 fixes the problem.
Comment 1 rvcsaba 2016-08-21 09:10:32 EDT
Same problem here.

Aug 21 14:57:48 deer audit[3887]: VIRT_MACHINE_ID pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd vm-ctx=system_u:system_r:svirt_t:s0:c251,c995 img-ctx=system_u:object_r:svirt_image_t:s0:c251,c995 model=selinux exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
Aug 21 14:57:48 deer audit[3887]: VIRT_MACHINE_ID pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd vm-ctx=+107:+107 img-ctx=+107:+107 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8152] manager: (vnet0): new Tun device (/org/freedesktop/NetworkManager/Devices/12)
Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered blocking state
Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered disabled state
Aug 21 14:57:48 deer kernel: device vnet0 entered promiscuous mode
Aug 21 14:57:48 deer audit: ANOM_PROMISCUOUS dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered blocking state
Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered listening state
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8687] device (vnet0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8731] keyfile: add connection in-memory (5be444bb-ed22-47ad-b09e-5a8af883162d,"vnet0")
Aug 21 14:57:48 deer audit[3887]: VIRT_RESOURCE pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net reason=open vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd net=52:54:00:e5:28:b8 path="/dev/net/tun" rdev=0A:C8 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8770] device (vnet0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8791] device (vnet0): Activation: starting connection 'vnet0' (5be444bb-ed22-47ad-b09e-5a8af883162d)
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8800] device (vnet0): state change: disconnected -> prepare (reason 'none') [30 40 0]
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8805] device (vnet0): state change: prepare -> config (reason 'none') [40 50 0]
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8807] device (vnet0): state change: config -> ip-config (reason 'none') [50 70 0]
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8807] device (virbr0): bridge port vnet0 was attached
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8808] device (vnet0): Activation: connection 'vnet0' enslaved, continuing activation
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8810] device (vnet0): state change: ip-config -> secondaries (reason 'none') [70 90 0]
Aug 21 14:57:48 deer NetworkManager[859]: <info>  [1471784268.8812] device (vnet0): state change: secondaries -> activated (reason 'none') [90 100 0]
Aug 21 14:57:48 deer audit[3887]: VIRT_RESOURCE pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net reason=open vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd net=52:54:00:e5:28:b8 path="/dev/vhost-net" rdev=0A:EE exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
Aug 21 14:57:48 deer audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system
                                exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Aug 21 14:57:48 deer systemd-machined[9028]: Failed to start machine scope: Access denied
Aug 21 14:57:48 deer libvirtd[3887]: SELinux policy denies access.
Aug 21 14:57:48 deer virtlogd[3248]: End of file while reading data: Input/output error
Aug 21 14:57:48 deer virtlogd[3248]: Cannot open log file: '/var/log/libvirt/qemu/Fedora24_builder.log': Device or resource busy
Aug 21 14:57:48 deer libvirtd[3887]: Cannot open log file: '/var/log/libvirt/qemu/Fedora24_builder.log': Device or resource busy
Aug 21 14:57:48 deer virtlogd[3248]: End of file while reading data: Input/output error
Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered disabled state
Aug 21 14:57:48 deer audit: ANOM_PROMISCUOUS dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295
Aug 21 14:57:48 deer kernel: device vnet0 left promiscuous mode
Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered disabled state
Aug 21 14:57:48 deer libvirtd[3887]: ethtool ioctl error: No such device
Comment 2 Travis L 2016-08-21 14:14:48 EDT
Same problem here.

Affected version: selinux-policy-3.13.1-191.12.fc24.noarch

Workaround: dnf downgrade to selinux-policy-3.13.1-190.fc24.noarch

When starting VM in virt-manager:
Error starting domain: SELinux policy denies access.

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: SELinux policy denies access.




Output from sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing accounts-daemon from write access on the directory /root.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that accounts-daemon should be allowed write access on the root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp


Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-191.12.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.6.6-300.fc24.x86_64
                              #1 SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-08-17 22:18:25 EDT
Last Seen                     2016-08-17 22:18:25 EDT
Local ID                      964d00fb-f47b-4a81-8e8b-b8f7a10ca8aa

Raw Audit Messages
type=AVC msg=audit(1471486705.452:102): avc:  denied  { write } for  pid=922 comm="accounts-daemon" name="root" dev="dm-0" ino=268 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0


Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write
Comment 3 Reartes Guillermo 2016-08-21 17:17:16 EDT
Hi, 

I also cannot start any VMs vith virt-manager.
It seems i upgraded some packagesd also...

# sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing accounts-daemon from write access on the directory /root.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, accounts-daemon debería permitir acceso write sobre root directory.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp


Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-191.12.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     luna.localdomain
Platform                      Linux luna.localdomain 4.6.6-300.fc24.x86_64 #1
                              SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-08-20 15:46:38 ART
Last Seen                     2016-08-20 15:46:38 ART
Local ID                      a92a3932-23b1-42f4-a5af-80f8936ab410

Raw Audit Messages
type=AVC msg=audit(1471718798.871:97): avc:  denied  { write } for  pid=944 comm="accounts-daemon" name="root" dev="md127" ino=33575009 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0


Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write

WORKAROUND: (downgrade)
-----------------------

# dnf downgrade selinux-policy firewalld firewall-config firewalld-filesystem python3-firewall selinux-policy-targeted

After downgrading these packages (in my case) VMs can be started normally in virt-manager.


Good Packages: 
* selinux-policy-targeted-3.13.1-190.fc24.noarch
* selinux-policy-3.13.1-190.fc24.noarch
Comment 4 Chris K. 2016-08-22 00:15:38 EDT
I can confirm this as well.
Rolling back the packages resolve the issues.

Log of failed start of a VM in /var/log/audit.log:

type=USER_AVC msg=audit(1471787512.150:274): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Cheers,
Chris
Comment 5 ecrosby 2016-08-22 12:46:58 EDT
Same problem here.


Error starting domain: SELinux policy denies access.

Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb
callback(*args, **kwargs)
File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
ret = fn(self, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup
self._backend.create()
File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create
if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: SELinux policy denies access.


As a temporary workaround so that I can open my VMs, I set the selinux policy to permissive.
Comment 6 Michael Kuhn 2016-08-22 12:59:53 EDT
I have the same problem. Installing the following module package works for me:

module xxx-virt 1.0;

require {
        type systemd_machined_t;
        type init_t;
        class system start;
}

#============= systemd_machined_t ==============
allow systemd_machined_t init_t:system start;
Comment 7 Nathanael Noblet 2016-08-22 13:05:08 EDT
Just a heads up I hit this issue today as well. I have no errors via ausearch -m avc -ts recent|today.
Comment 8 Stephen M 2016-08-22 13:07:55 EDT
Tried to create a VM using virt-manager. See error below. Resolved with 

$dnf --allowerasing downgrade to selinux-policy-3.13.1-190.fc24.noarch

-------------

Unable to complete install: 'SELinux policy denies access.'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/create.py", line 2288, in _do_async_install
    guest.start_install(meter=meter)
  File "/usr/share/virt-manager/virtinst/guest.py", line 461, in start_install
    doboot, transient)
  File "/usr/share/virt-manager/virtinst/guest.py", line 396, in _create_guest
    self.domain = self.conn.createXML(install_xml or final_xml, 0)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3727, in createXML
    if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
libvirtError: SELinux policy denies access.
Comment 9 Vasco Rodrigues 2016-08-22 13:43:14 EDT
Got the same issue.
Comment 10 Jeffrey Cutter 2016-08-22 17:25:48 EDT
Same here.
Comment 11 Filip Dobrovolny 2016-08-22 17:27:42 EDT
Got it too.

Workaround is to downgrade all these packages:
dnf downgrade selinux-policy-targeted selinux-policy firewalld firewalld-filesystem python3-firewall 

(obtained from http://forums.fedoraforum.org/showpost.php?p=1769233&postcount=6)
Comment 12 rvcsaba 2016-08-22 17:40:38 EDT
Thanks, work it!

(In reply to Michael Kuhn from comment #6)
> I have the same problem. Installing the following module package works for
> me:
> 
> module xxx-virt 1.0;
> 
> require {
>         type systemd_machined_t;
>         type init_t;
>         class system start;
> }
> 
> #============= systemd_machined_t ==============
> allow systemd_machined_t init_t:system start;
Comment 13 Joseph D. Wagner 2016-08-22 21:19:15 EDT
*** Bug 1368923 has been marked as a duplicate of this bug. ***
Comment 14 Srihari Vijayaraghavan 2016-08-23 02:50:16 EDT
Same here. Downgrading selinux & firewalld dependencies "fixed" it for me.
Comment 15 Louis van Dyk 2016-08-23 03:43:28 EDT
*** Bug 1369048 has been marked as a duplicate of this bug. ***
Comment 16 k.rhino 2016-08-23 05:25:36 EDT
Same here. Existing virtual machine. After update cannot access it anymore.

Error starting domain: SELinux policy denies access.

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: SELinux policy denies access.

Not very funny...
Comment 17 Daniel Walsh 2016-08-23 05:27:34 EDT
*** Bug 1369069 has been marked as a duplicate of this bug. ***
Comment 18 Amedeo Salvati 2016-08-23 07:03:48 EDT
(In reply to Michael Kuhn from comment #6)
> I have the same problem. Installing the following module package works for
> me:
> 
> module xxx-virt 1.0;
> 
> require {
>         type systemd_machined_t;
>         type init_t;
>         class system start;
> }
> 
> #============= systemd_machined_t ==============
> allow systemd_machined_t init_t:system start;

It works also for me! thanks!

if anyone want to apply this wa, below the simple commands:

# cat virt-manager-temp.te 
module virt-manager-temp 1.0;

require {
        type systemd_machined_t;
        type init_t;
        class system start;
}

#============= systemd_machined_t ==============
allow systemd_machined_t init_t:system start;

# checkmodule -M -m -o virt-manager-temp.mod virt-manager-temp.te
# semodule_package -o virt-manager-temp.pp -m virt-manager-temp.mod
# semodule -i virt-manager-temp.pp
Comment 19 Daniel Walsh 2016-08-23 07:04:01 EDT
*** Bug 1369199 has been marked as a duplicate of this bug. ***
Comment 20 Juergen Sievers 2016-08-23 07:20:50 EDT
dnf --allowerasing downgrade to selinux-policy-3.13.1-190.fc24.noarch
does the job.

thanks.
j.w.
Comment 21 Artur Flinta 2016-08-23 09:32:48 EDT
(In reply to Amedeo Salvati from comment #18)
I hit same problem yesterday and here is full WO in comment 18 :) Thanks!
Comment 22 David H. Gutteridge 2016-08-23 12:26:10 EDT
selinux-policy-3.13.1-191.13.fc24 now in Bodhi (though not yet in the updates-testing repository) has fixed the problem for me.

https://bodhi.fedoraproject.org/updates/FEDORA-2016-6164469d14
Comment 23 Strahil Nikolov 2016-08-23 15:00:59 EDT
*** Bug 1369481 has been marked as a duplicate of this bug. ***
Comment 24 Strahil Nikolov 2016-08-23 15:02:44 EDT
Happened to me too.Downgraded to previous version.
Comment 25 Sergei LITVINENKO 2016-08-23 16:08:18 EDT
I have the same too.
In case of policy is desabled or permissive everything work fine, but in case of pocily is enforcing (standard), virtual machine can not start.



Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: SELinux policy denies access.
Comment 26 Sergei LITVINENKO 2016-08-23 16:11:40 EDT
KDE

Steps to Reproduce:
1. Run virt-manager and login to root account
2. Run one of existing virtual machines
3. Receive fail and diagnostic...

How reproducible:
100%
Comment 27 Lukas Vrabec 2016-08-23 16:25:30 EDT
Please update to selinux-policy version: selinux-policy-3.13.1-191.13.fc24 
using:
# dnf update selinux-policy --enablerepo=updates-testing.

Thanks.
Comment 28 Suresh 2016-08-23 22:26:32 EDT
This version does not seems to be available in updates-testing repo:

[root@Suresh ~]# dnf list | grep selinux-policy
selinux-policy.noarch               3.13.1-191.12.fc24           @updates       
selinux-policy-devel.noarch         3.13.1-191.12.fc24           @updates       
selinux-policy-targeted.noarch      3.13.1-191.12.fc24           @updates       
selinux-policy-doc.noarch           3.13.1-190.fc24              updates-testing
selinux-policy-minimum.noarch       3.13.1-190.fc24              updates-testing
selinux-policy-mls.noarch           3.13.1-190.fc24              updates-testing
selinux-policy-sandbox.noarch       3.13.1-190.fc24              updates-testing
Comment 29 David H. Gutteridge 2016-08-23 23:36:51 EDT
@Suresh: it hasn't been pushed to the updates-testing repo yet, but you can manually download the necessary updated packages from Koji and update them on the command line.

http://koji.fedoraproject.org/koji/buildinfo?buildID=793828
Comment 30 Chris K. 2016-08-23 23:57:54 EDT
I can confirm a (manual as not pushed/synched yet) update to selinux-policy-3.13.1-191.13 via:
sudo dnf install selinux-policy-3.13.1-191.13.fc24.noarch.rpm selinux-policy-targeted-3.13.1-191.13.fc24.noarch.rpm

...works fine, I can start/stop machines again without issues. Also tested after reboot.
Thanks Lukas!
Comment 31 Sergei LITVINENKO 2016-08-24 03:45:59 EDT
>> Please update to selinux-policy version: selinux-policy-3.13.1-191.13.fc24
>> using: # dnf update selinux-policy --enablerepo=updates-testing.

It do not work, because necessary packages are missed in repo.


>> http://koji.fedoraproject.org/koji/buildinfo?buildID=793828

It work. Updating from koji solves the issue.
Comment 33 Severin Gehwolf 2016-08-24 10:50:25 EDT
The update works for me (used koji builds directly). Unfortunately, the update seems to be stuck in locked state. I.e. still in f24-updates-testing-pending.
Comment 34 Gwyn Ciesla 2016-08-24 11:11:53 EDT
I hit this and 191.13 fixes it.
Comment 35 Louis van Dyk 2016-08-24 12:20:17 EDT
I am not so lucky.  I saved the two RPMS I have installed and then tried to install them:

# dnf upgrade selinux-policy-3.13.1-191.13.fc24.noarch.rpm selinux-policy-targeted-3.13.1-191.13.fc24.noarch.rpm
Last metadata expiration check: 0:01:49 ago on Wed Aug 24 18:10:13 2016.
Error: package selinux-policy-targeted-3.13.1-191.13.fc24.noarch is not installable
(try to add '--allowerasing' to command line to replace conflicting packages)


Trying to install a rules module also failed on the last step:

# semodule -i virt-manager-temp.pp
Re-declaration of boolean virt_sandbox_use_fusefs
Failed to create node
Bad boolean declaration at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:148
semodule:  Failed!


Any thoughts?

Otherwise "setenforce 0" is my friend until the patches are properly rolled out.
Comment 36 Louis van Dyk 2016-08-24 12:24:31 EDT
I came right - I saw in https://bugzilla.redhat.com/show_bug.cgi?id=1368745#c32 that he used:
dnf install
where I had tried
dnf upgrade

It doesn't seem like selinux wants the packages to be upgraded, only installed!
Comment 37 Daniel Walsh 2016-08-24 13:18:29 EDT
*** Bug 1369011 has been marked as a duplicate of this bug. ***
Comment 38 Fedora Update System 2016-08-24 13:26:17 EDT
selinux-policy-3.13.1-191.13.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6164469d14
Comment 39 Daniel Walsh 2016-08-24 13:45:14 EDT
*** Bug 1369884 has been marked as a duplicate of this bug. ***
Comment 40 Peter Larsen 2016-08-24 16:10:55 EDT
Still not seeing the update in testing - but the direct update from Koji resolved the problem for me too.
Comment 41 Juergen Sievers 2016-08-24 16:42:17 EDT
The solution from Koji blockes every futher updatest

[juergen@nadhh ~]$ echo $LANG
de_DE.utf8
[juergen@nadhh ~]$ export LANG=en_EN.utf8
[juergen@nadhh ~]$ sudo dnf -y update
Failed to set locale, defaulting to C
Last metadata expiration check: 1:15:52 ago on Wed Aug 24 21:23:57 2016.
Dependencies resolved.
=============================================================================================================================================================================================
 Package                                                      Arch                                 Version                                       Repository                             Size
=============================================================================================================================================================================================
Installing:
 fpc-srpm-macros                                              noarch                               1.0-1.fc24                                    fedora                                7.8 k
Upgrading:
 OpenImageIO                                                  x86_64                               1.6.16-1.fc24                                 updates                               1.7 M
 caja                                                         x86_64                               1.14.2-1.fc24                                 updates                               1.4 M
 caja-beesu                                                   x86_64                               1.14.1-1.fc24                                 updates                                17 k
 caja-extensions                                              x86_64                               1.14.2-1.fc24                                 updates                                35 k
 caja-extensions-common                                       noarch                               1.14.1-1.fc24                                 updates                               119 k
 caja-image-converter                                         x86_64                               1.14.1-1.fc24                                 updates                                24 k
 caja-open-terminal                                           x86_64                               1.14.1-1.fc24                                 updates                                20 k
 caja-schemas                                                 x86_64                               1.14.2-1.fc24                                 updates                               2.0 M
 caja-sendto                                                  x86_64                               1.14.1-1.fc24                                 updates                                62 k
 caja-share                                                   x86_64                               1.14.1-1.fc24                                 updates                                29 k
 caja-wallpaper                                               x86_64                               1.14.1-1.fc24                                 updates                                16 k
 eog                                                          x86_64                               3.20.4-1.fc24                                 updates                               3.9 M
 firewall-applet                                              noarch                               0.4.3.3-1.fc24                                updates                               112 k
 firewall-config                                              noarch                               0.4.3.3-1.fc24                                updates                               142 k
 firewalld                                                    noarch                               0.4.3.3-1.fc24                                updates                               428 k
 firewalld-filesystem                                         noarch                               0.4.3.3-1.fc24                                updates                                61 k
 libavc1394                                                   x86_64                               0.5.4-1.fc24                                  updates                                56 k
 libevdev                                                     x86_64                               1.5.3-1.fc24                                  updates                                39 k
 libgweather                                                  x86_64                               3.20.2-1.fc24                                 updates                               3.1 M
 mate-control-center                                          x86_64                               1.14.1-1.fc24                                 updates                               1.3 M
 mate-control-center-filesystem                               x86_64                               1.14.1-1.fc24                                 updates                                15 k
 mate-desktop                                                 x86_64                               1.14.1-4.fc24                                 updates                               109 k
 mate-desktop-libs                                            x86_64                               1.14.1-4.fc24                                 updates                               494 k
 mate-media                                                   x86_64                               1.14.1-1.fc24                                 updates                               263 k
 mate-panel                                                   x86_64                               1.14.2-1.fc24                                 updates                               1.7 M
 mate-panel-libs                                              x86_64                               1.14.2-1.fc24                                 updates                                46 k
 mate-settings-daemon                                         x86_64                               1.14.1-1.fc24                                 updates                               564 k
 mate-system-monitor                                          x86_64                               1.14.1-1.fc24                                 updates                               1.9 M
 python3-firewall                                             noarch                               0.4.3.3-1.fc24                                updates                               330 k
 qemu                                                         x86_64                               2:2.6.1-1.fc24                                updates                                63 k
 qemu-common                                                  x86_64                               2:2.6.1-1.fc24                                updates                               323 k
 qemu-guest-agent                                             x86_64                               2:2.6.1-1.fc24                                updates                               191 k
 qemu-img                                                     x86_64                               2:2.6.1-1.fc24                                updates                               828 k
 qemu-kvm                                                     x86_64                               2:2.6.1-1.fc24                                updates                                62 k
 qemu-system-aarch64                                          x86_64                               2:2.6.1-1.fc24                                updates                               2.5 M
 qemu-system-alpha                                            x86_64                               2:2.6.1-1.fc24                                updates                               1.9 M
 qemu-system-arm                                              x86_64                               2:2.6.1-1.fc24                                updates                               2.5 M
 qemu-system-cris                                             x86_64                               2:2.6.1-1.fc24                                updates                               1.4 M
 qemu-system-lm32                                             x86_64                               2:2.6.1-1.fc24                                updates                               1.4 M
 qemu-system-m68k                                             x86_64                               2:2.6.1-1.fc24                                updates                               1.9 M
 qemu-system-microblaze                                       x86_64                               2:2.6.1-1.fc24                                updates                               2.7 M
 qemu-system-mips                                             x86_64                               2:2.6.1-1.fc24                                updates                               8.4 M
 qemu-system-moxie                                            x86_64                               2:2.6.1-1.fc24                                updates                               1.4 M
 qemu-system-or32                                             x86_64                               2:2.6.1-1.fc24                                updates                               1.4 M
 qemu-system-ppc                                              x86_64                               2:2.6.1-1.fc24                                updates                               6.8 M
 qemu-system-s390x                                            x86_64                               2:2.6.1-1.fc24                                updates                               1.7 M
 qemu-system-sh4                                              x86_64                               2:2.6.1-1.fc24                                updates                               3.7 M
 qemu-system-sparc                                            x86_64                               2:2.6.1-1.fc24                                updates                               3.3 M
 qemu-system-tricore                                          x86_64                               2:2.6.1-1.fc24                                updates                               1.4 M
 qemu-system-unicore32                                        x86_64                               2:2.6.1-1.fc24                                updates                               1.4 M
 qemu-system-x86                                              x86_64                               2:2.6.1-1.fc24                                updates                               4.5 M
 qemu-system-xtensa                                           x86_64                               2:2.6.1-1.fc24                                updates                               2.7 M
 qemu-user                                                    x86_64                               2:2.6.1-1.fc24                                updates                               8.3 M
 qemu-user-binfmt                                             x86_64                               2:2.6.1-1.fc24                                updates                                66 k
 redhat-rpm-config                                            noarch                               41-2.fc24                                     updates                                60 k

Transaction Summary
=============================================================================================================================================================================================
Install   1 Package
Upgrade  55 Packages

Total size: 81 M
Downloading Packages:
[SKIPPED] fpc-srpm-macros-1.0-1.fc24.noarch.rpm: Already downloaded                                                                                                                         
[SKIPPED] OpenImageIO-1.6.16-1.fc24.x86_64.rpm: Already downloaded                                                                                                                          
[SKIPPED] caja-1.14.2-1.fc24.x86_64.rpm: Already downloaded                                                                                                                                 
[SKIPPED] caja-extensions-1.14.2-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] caja-schemas-1.14.2-1.fc24.x86_64.rpm: Already downloaded                                                                                                                         
[SKIPPED] caja-beesu-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                           
[SKIPPED] caja-extensions-common-1.14.1-1.fc24.noarch.rpm: Already downloaded                                                                                                               
[SKIPPED] caja-wallpaper-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                       
[SKIPPED] caja-share-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                           
[SKIPPED] caja-sendto-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                          
[SKIPPED] caja-open-terminal-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                   
[SKIPPED] caja-image-converter-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                 
[SKIPPED] eog-3.20.4-1.fc24.x86_64.rpm: Already downloaded                                                                                                                                  
[SKIPPED] firewall-applet-0.4.3.3-1.fc24.noarch.rpm: Already downloaded                                                                                                                     
[SKIPPED] firewall-config-0.4.3.3-1.fc24.noarch.rpm: Already downloaded                                                                                                                     
[SKIPPED] firewalld-0.4.3.3-1.fc24.noarch.rpm: Already downloaded                                                                                                                           
[SKIPPED] firewalld-filesystem-0.4.3.3-1.fc24.noarch.rpm: Already downloaded                                                                                                                
[SKIPPED] python3-firewall-0.4.3.3-1.fc24.noarch.rpm: Already downloaded                                                                                                                    
[SKIPPED] libavc1394-0.5.4-1.fc24.x86_64.rpm: Already downloaded                                                                                                                            
[SKIPPED] libevdev-1.5.3-1.fc24.x86_64.rpm: Already downloaded                                                                                                                              
[SKIPPED] libgweather-3.20.2-1.fc24.x86_64.rpm: Already downloaded                                                                                                                          
[SKIPPED] mate-control-center-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                  
[SKIPPED] mate-control-center-filesystem-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                       
[SKIPPED] mate-desktop-1.14.1-4.fc24.x86_64.rpm: Already downloaded                                                                                                                         
[SKIPPED] mate-desktop-libs-1.14.1-4.fc24.x86_64.rpm: Already downloaded                                                                                                                    
[SKIPPED] mate-media-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                           
[SKIPPED] mate-panel-1.14.2-1.fc24.x86_64.rpm: Already downloaded                                                                                                                           
[SKIPPED] mate-panel-libs-1.14.2-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] mate-settings-daemon-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                 
[SKIPPED] mate-system-monitor-1.14.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                  
[SKIPPED] qemu-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                                  
[SKIPPED] qemu-img-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                              
[SKIPPED] qemu-system-aarch64-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                   
[SKIPPED] qemu-system-alpha-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                     
[SKIPPED] qemu-system-arm-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                       
[SKIPPED] qemu-system-cris-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] qemu-system-lm32-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] qemu-system-m68k-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] qemu-system-microblaze-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                
[SKIPPED] qemu-system-mips-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] qemu-system-moxie-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                     
[SKIPPED] qemu-system-or32-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] qemu-system-ppc-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                       
[SKIPPED] qemu-system-s390x-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                     
[SKIPPED] qemu-system-sh4-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                       
[SKIPPED] qemu-system-sparc-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                     
[SKIPPED] qemu-system-tricore-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                   
[SKIPPED] qemu-system-unicore32-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                 
[SKIPPED] qemu-system-x86-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                       
[SKIPPED] qemu-system-xtensa-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                    
[SKIPPED] qemu-user-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                             
[SKIPPED] qemu-common-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                           
[SKIPPED] qemu-kvm-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                              
[SKIPPED] qemu-user-binfmt-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] qemu-guest-agent-2.6.1-1.fc24.x86_64.rpm: Already downloaded                                                                                                                      
[SKIPPED] redhat-rpm-config-41-2.fc24.noarch.rpm: Already downloaded                                                                                                                        
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Failed to obtain the transaction lock (logged in as: root).
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Could not run transaction.
[juergen@nadhh ~]$
Comment 42 Chris Murphy 2016-08-24 17:35:04 EDT
*** Bug 1369954 has been marked as a duplicate of this bug. ***
Comment 43 Nazim Aliyev 2016-08-24 18:29:28 EDT
(In reply to Michael Kuhn from comment #6)
> I have the same problem. Installing the following module package works for
> me:
> 
> module xxx-virt 1.0;
> 
> require {
>         type systemd_machined_t;
>         type init_t;
>         class system start;
> }
> 
> #============= systemd_machined_t ==============
> allow systemd_machined_t init_t:system start;

This worked, thanks Michael Kuhn
Comment 44 Reartes Guillermo 2016-08-24 20:07:29 EDT
I enabled updates-testing and then updated to:

selinux-policy.noarch          3.13.1-191.13.fc24 @updates-testing
selinux-policy-targeted.noarch 3.13.1-191.13.fc24 @updates-testing

Then disabled updates-testing, updated the other packages from the normal updates repo. Then i did a reboot.

I can start VMs normally. So it seems fixed.
Thanks.
Comment 45 Ryan 2016-08-24 23:51:37 EDT
I am also experiencing this issue. I've enabled updates-testing, but I can't see the updated package currently.
Comment 46 Strahil Nikolov 2016-08-25 02:27:50 EDT
The selinux-policy and selinux policy-targeted 3.13.1-191.13.fc24 is working.
Here is how to update via dnf :
#dnf --disablerepo=* --enablerepo=updates-testing  update selinux-policy-targeted
Comment 47 Fedora Update System 2016-08-25 09:52:32 EDT
selinux-policy-3.13.1-191.13.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.