Description of problem: The latest selinux-policy pushed to stable for Fedora 24 prevents me from starting or creating virtual machines in some contexts. (I can still use Gnome-Boxes for simple stuff, but virt-manager doesn't work.) Version-Release number of selected component (if applicable): selinux-policy-3.13.1-191.12.fc24 How reproducible: Always Steps to Reproduce: 1. Try creating or running a virtual machine using virt-manager (or virsh, as another user reported separately on Bodhi). 2. SELinux will prevent this from happening. Additional info: Sample log output via journalctl: Aug 20 02:33:25 arcusix.nonus-porta.net audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Aug 20 02:33:25 arcusix.nonus-porta.net audit: ANOM_PROMISCUOUS dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 Aug 20 02:33:25 arcusix.nonus-porta.net systemd-machined[23572]: Failed to start machine scope: Access denied Aug 20 02:33:25 arcusix.nonus-porta.net libvirtd[1101]: SELinux policy denies access. Aug 20 02:33:25 arcusix.nonus-porta.net virtlogd[23562]: libvirt version: 1.3.3.2, package: 1.fc24 (Fedora Project, 2016-07-19-00:36:57, buildvm-25.phx2.fedoraproject.org) Reverting to selinux-policy-3.13.1-191.10.fc24 fixes the problem.
Same problem here. Aug 21 14:57:48 deer audit[3887]: VIRT_MACHINE_ID pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd vm-ctx=system_u:system_r:svirt_t:s0:c251,c995 img-ctx=system_u:object_r:svirt_image_t:s0:c251,c995 model=selinux exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Aug 21 14:57:48 deer audit[3887]: VIRT_MACHINE_ID pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd vm-ctx=+107:+107 img-ctx=+107:+107 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8152] manager: (vnet0): new Tun device (/org/freedesktop/NetworkManager/Devices/12) Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered blocking state Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered disabled state Aug 21 14:57:48 deer kernel: device vnet0 entered promiscuous mode Aug 21 14:57:48 deer audit: ANOM_PROMISCUOUS dev=vnet0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered blocking state Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered listening state Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8687] device (vnet0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41] Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8731] keyfile: add connection in-memory (5be444bb-ed22-47ad-b09e-5a8af883162d,"vnet0") Aug 21 14:57:48 deer audit[3887]: VIRT_RESOURCE pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net reason=open vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd net=52:54:00:e5:28:b8 path="/dev/net/tun" rdev=0A:C8 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8770] device (vnet0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41] Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8791] device (vnet0): Activation: starting connection 'vnet0' (5be444bb-ed22-47ad-b09e-5a8af883162d) Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8800] device (vnet0): state change: disconnected -> prepare (reason 'none') [30 40 0] Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8805] device (vnet0): state change: prepare -> config (reason 'none') [40 50 0] Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8807] device (vnet0): state change: config -> ip-config (reason 'none') [50 70 0] Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8807] device (virbr0): bridge port vnet0 was attached Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8808] device (vnet0): Activation: connection 'vnet0' enslaved, continuing activation Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8810] device (vnet0): state change: ip-config -> secondaries (reason 'none') [70 90 0] Aug 21 14:57:48 deer NetworkManager[859]: <info> [1471784268.8812] device (vnet0): state change: secondaries -> activated (reason 'none') [90 100 0] Aug 21 14:57:48 deer audit[3887]: VIRT_RESOURCE pid=3887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net reason=open vm="Fedora24_builder" uuid=70128204-575a-4f3e-8bea-eda450cb81fd net=52:54:00:e5:28:b8 path="/dev/vhost-net" rdev=0A:EE exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Aug 21 14:57:48 deer audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Aug 21 14:57:48 deer systemd-machined[9028]: Failed to start machine scope: Access denied Aug 21 14:57:48 deer libvirtd[3887]: SELinux policy denies access. Aug 21 14:57:48 deer virtlogd[3248]: End of file while reading data: Input/output error Aug 21 14:57:48 deer virtlogd[3248]: Cannot open log file: '/var/log/libvirt/qemu/Fedora24_builder.log': Device or resource busy Aug 21 14:57:48 deer libvirtd[3887]: Cannot open log file: '/var/log/libvirt/qemu/Fedora24_builder.log': Device or resource busy Aug 21 14:57:48 deer virtlogd[3248]: End of file while reading data: Input/output error Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered disabled state Aug 21 14:57:48 deer audit: ANOM_PROMISCUOUS dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295 Aug 21 14:57:48 deer kernel: device vnet0 left promiscuous mode Aug 21 14:57:48 deer kernel: virbr0: port 1(vnet0) entered disabled state Aug 21 14:57:48 deer libvirtd[3887]: ethtool ioctl error: No such device
Same problem here. Affected version: selinux-policy-3.13.1-191.12.fc24.noarch Workaround: dnf downgrade to selinux-policy-3.13.1-190.fc24.noarch When starting VM in virt-manager: Error starting domain: SELinux policy denies access. Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup self._backend.create() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: SELinux policy denies access. Output from sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing accounts-daemon from write access on the directory /root. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that accounts-daemon should be allowed write access on the root directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -X 300 -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root [ dir ] Source accounts-daemon Source Path accounts-daemon Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages filesystem-3.2-37.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.12.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-08-17 22:18:25 EDT Last Seen 2016-08-17 22:18:25 EDT Local ID 964d00fb-f47b-4a81-8e8b-b8f7a10ca8aa Raw Audit Messages type=AVC msg=audit(1471486705.452:102): avc: denied { write } for pid=922 comm="accounts-daemon" name="root" dev="dm-0" ino=268 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0 Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write
Hi, I also cannot start any VMs vith virt-manager. It seems i upgraded some packagesd also... # sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing accounts-daemon from write access on the directory /root. ***** Plugin catchall (100. confidence) suggests ************************** If cree que de manera predeterminada, accounts-daemon debería permitir acceso write sobre root directory. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do allow this access for now by executing: # ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon # semodule -X 300 -i my-accountsdaemon.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:admin_home_t:s0 Target Objects /root [ dir ] Source accounts-daemon Source Path accounts-daemon Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages filesystem-3.2-37.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.12.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name luna.localdomain Platform Linux luna.localdomain 4.6.6-300.fc24.x86_64 #1 SMP Wed Aug 10 21:07:35 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-08-20 15:46:38 ART Last Seen 2016-08-20 15:46:38 ART Local ID a92a3932-23b1-42f4-a5af-80f8936ab410 Raw Audit Messages type=AVC msg=audit(1471718798.871:97): avc: denied { write } for pid=944 comm="accounts-daemon" name="root" dev="md127" ino=33575009 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0 Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write WORKAROUND: (downgrade) ----------------------- # dnf downgrade selinux-policy firewalld firewall-config firewalld-filesystem python3-firewall selinux-policy-targeted After downgrading these packages (in my case) VMs can be started normally in virt-manager. Good Packages: * selinux-policy-targeted-3.13.1-190.fc24.noarch * selinux-policy-3.13.1-190.fc24.noarch
I can confirm this as well. Rolling back the packages resolve the issues. Log of failed start of a VM in /var/log/audit.log: type=USER_AVC msg=audit(1471787512.150:274): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Cheers, Chris
Same problem here. Error starting domain: SELinux policy denies access. Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup self._backend.create() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: SELinux policy denies access. As a temporary workaround so that I can open my VMs, I set the selinux policy to permissive.
I have the same problem. Installing the following module package works for me: module xxx-virt 1.0; require { type systemd_machined_t; type init_t; class system start; } #============= systemd_machined_t ============== allow systemd_machined_t init_t:system start;
Just a heads up I hit this issue today as well. I have no errors via ausearch -m avc -ts recent|today.
Tried to create a VM using virt-manager. See error below. Resolved with $dnf --allowerasing downgrade to selinux-policy-3.13.1-190.fc24.noarch ------------- Unable to complete install: 'SELinux policy denies access.' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/create.py", line 2288, in _do_async_install guest.start_install(meter=meter) File "/usr/share/virt-manager/virtinst/guest.py", line 461, in start_install doboot, transient) File "/usr/share/virt-manager/virtinst/guest.py", line 396, in _create_guest self.domain = self.conn.createXML(install_xml or final_xml, 0) File "/usr/lib64/python2.7/site-packages/libvirt.py", line 3727, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirtError: SELinux policy denies access.
Got the same issue.
Same here.
Got it too. Workaround is to downgrade all these packages: dnf downgrade selinux-policy-targeted selinux-policy firewalld firewalld-filesystem python3-firewall (obtained from http://forums.fedoraforum.org/showpost.php?p=1769233&postcount=6)
Thanks, work it! (In reply to Michael Kuhn from comment #6) > I have the same problem. Installing the following module package works for > me: > > module xxx-virt 1.0; > > require { > type systemd_machined_t; > type init_t; > class system start; > } > > #============= systemd_machined_t ============== > allow systemd_machined_t init_t:system start;
*** Bug 1368923 has been marked as a duplicate of this bug. ***
Same here. Downgrading selinux & firewalld dependencies "fixed" it for me.
*** Bug 1369048 has been marked as a duplicate of this bug. ***
Same here. Existing virtual machine. After update cannot access it anymore. Error starting domain: SELinux policy denies access. Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup self._backend.create() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: SELinux policy denies access. Not very funny...
*** Bug 1369069 has been marked as a duplicate of this bug. ***
(In reply to Michael Kuhn from comment #6) > I have the same problem. Installing the following module package works for > me: > > module xxx-virt 1.0; > > require { > type systemd_machined_t; > type init_t; > class system start; > } > > #============= systemd_machined_t ============== > allow systemd_machined_t init_t:system start; It works also for me! thanks! if anyone want to apply this wa, below the simple commands: # cat virt-manager-temp.te module virt-manager-temp 1.0; require { type systemd_machined_t; type init_t; class system start; } #============= systemd_machined_t ============== allow systemd_machined_t init_t:system start; # checkmodule -M -m -o virt-manager-temp.mod virt-manager-temp.te # semodule_package -o virt-manager-temp.pp -m virt-manager-temp.mod # semodule -i virt-manager-temp.pp
*** Bug 1369199 has been marked as a duplicate of this bug. ***
dnf --allowerasing downgrade to selinux-policy-3.13.1-190.fc24.noarch does the job. thanks. j.w.
(In reply to Amedeo Salvati from comment #18) I hit same problem yesterday and here is full WO in comment 18 :) Thanks!
selinux-policy-3.13.1-191.13.fc24 now in Bodhi (though not yet in the updates-testing repository) has fixed the problem for me. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6164469d14
*** Bug 1369481 has been marked as a duplicate of this bug. ***
Happened to me too.Downgraded to previous version.
I have the same too. In case of policy is desabled or permissive everything work fine, but in case of pocily is enforcing (standard), virtual machine can not start. Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup self._backend.create() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: SELinux policy denies access.
KDE Steps to Reproduce: 1. Run virt-manager and login to root account 2. Run one of existing virtual machines 3. Receive fail and diagnostic... How reproducible: 100%
Please update to selinux-policy version: selinux-policy-3.13.1-191.13.fc24 using: # dnf update selinux-policy --enablerepo=updates-testing. Thanks.
This version does not seems to be available in updates-testing repo: [root@Suresh ~]# dnf list | grep selinux-policy selinux-policy.noarch 3.13.1-191.12.fc24 @updates selinux-policy-devel.noarch 3.13.1-191.12.fc24 @updates selinux-policy-targeted.noarch 3.13.1-191.12.fc24 @updates selinux-policy-doc.noarch 3.13.1-190.fc24 updates-testing selinux-policy-minimum.noarch 3.13.1-190.fc24 updates-testing selinux-policy-mls.noarch 3.13.1-190.fc24 updates-testing selinux-policy-sandbox.noarch 3.13.1-190.fc24 updates-testing
@Suresh: it hasn't been pushed to the updates-testing repo yet, but you can manually download the necessary updated packages from Koji and update them on the command line. http://koji.fedoraproject.org/koji/buildinfo?buildID=793828
I can confirm a (manual as not pushed/synched yet) update to selinux-policy-3.13.1-191.13 via: sudo dnf install selinux-policy-3.13.1-191.13.fc24.noarch.rpm selinux-policy-targeted-3.13.1-191.13.fc24.noarch.rpm ...works fine, I can start/stop machines again without issues. Also tested after reboot. Thanks Lukas!
>> Please update to selinux-policy version: selinux-policy-3.13.1-191.13.fc24 >> using: # dnf update selinux-policy --enablerepo=updates-testing. It do not work, because necessary packages are missed in repo. >> http://koji.fedoraproject.org/koji/buildinfo?buildID=793828 It work. Updating from koji solves the issue.
It works, but had to be from koji. I used this command, to test it out. sudo dnf install https://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/191.13.fc24/noarch/selinux-policy-3.13.1-191.13.fc24.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/191.13.fc24/noarch/selinux-policy-targeted-3.13.1-191.13.fc24.noarch.rpm
The update works for me (used koji builds directly). Unfortunately, the update seems to be stuck in locked state. I.e. still in f24-updates-testing-pending.
I hit this and 191.13 fixes it.
I am not so lucky. I saved the two RPMS I have installed and then tried to install them: # dnf upgrade selinux-policy-3.13.1-191.13.fc24.noarch.rpm selinux-policy-targeted-3.13.1-191.13.fc24.noarch.rpm Last metadata expiration check: 0:01:49 ago on Wed Aug 24 18:10:13 2016. Error: package selinux-policy-targeted-3.13.1-191.13.fc24.noarch is not installable (try to add '--allowerasing' to command line to replace conflicting packages) Trying to install a rules module also failed on the last step: # semodule -i virt-manager-temp.pp Re-declaration of boolean virt_sandbox_use_fusefs Failed to create node Bad boolean declaration at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:148 semodule: Failed! Any thoughts? Otherwise "setenforce 0" is my friend until the patches are properly rolled out.
I came right - I saw in https://bugzilla.redhat.com/show_bug.cgi?id=1368745#c32 that he used: dnf install where I had tried dnf upgrade It doesn't seem like selinux wants the packages to be upgraded, only installed!
*** Bug 1369011 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-191.13.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6164469d14
*** Bug 1369884 has been marked as a duplicate of this bug. ***
Still not seeing the update in testing - but the direct update from Koji resolved the problem for me too.
The solution from Koji blockes every futher updatest [juergen@nadhh ~]$ echo $LANG de_DE.utf8 [juergen@nadhh ~]$ export LANG=en_EN.utf8 [juergen@nadhh ~]$ sudo dnf -y update Failed to set locale, defaulting to C Last metadata expiration check: 1:15:52 ago on Wed Aug 24 21:23:57 2016. Dependencies resolved. ============================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================= Installing: fpc-srpm-macros noarch 1.0-1.fc24 fedora 7.8 k Upgrading: OpenImageIO x86_64 1.6.16-1.fc24 updates 1.7 M caja x86_64 1.14.2-1.fc24 updates 1.4 M caja-beesu x86_64 1.14.1-1.fc24 updates 17 k caja-extensions x86_64 1.14.2-1.fc24 updates 35 k caja-extensions-common noarch 1.14.1-1.fc24 updates 119 k caja-image-converter x86_64 1.14.1-1.fc24 updates 24 k caja-open-terminal x86_64 1.14.1-1.fc24 updates 20 k caja-schemas x86_64 1.14.2-1.fc24 updates 2.0 M caja-sendto x86_64 1.14.1-1.fc24 updates 62 k caja-share x86_64 1.14.1-1.fc24 updates 29 k caja-wallpaper x86_64 1.14.1-1.fc24 updates 16 k eog x86_64 3.20.4-1.fc24 updates 3.9 M firewall-applet noarch 0.4.3.3-1.fc24 updates 112 k firewall-config noarch 0.4.3.3-1.fc24 updates 142 k firewalld noarch 0.4.3.3-1.fc24 updates 428 k firewalld-filesystem noarch 0.4.3.3-1.fc24 updates 61 k libavc1394 x86_64 0.5.4-1.fc24 updates 56 k libevdev x86_64 1.5.3-1.fc24 updates 39 k libgweather x86_64 3.20.2-1.fc24 updates 3.1 M mate-control-center x86_64 1.14.1-1.fc24 updates 1.3 M mate-control-center-filesystem x86_64 1.14.1-1.fc24 updates 15 k mate-desktop x86_64 1.14.1-4.fc24 updates 109 k mate-desktop-libs x86_64 1.14.1-4.fc24 updates 494 k mate-media x86_64 1.14.1-1.fc24 updates 263 k mate-panel x86_64 1.14.2-1.fc24 updates 1.7 M mate-panel-libs x86_64 1.14.2-1.fc24 updates 46 k mate-settings-daemon x86_64 1.14.1-1.fc24 updates 564 k mate-system-monitor x86_64 1.14.1-1.fc24 updates 1.9 M python3-firewall noarch 0.4.3.3-1.fc24 updates 330 k qemu x86_64 2:2.6.1-1.fc24 updates 63 k qemu-common x86_64 2:2.6.1-1.fc24 updates 323 k qemu-guest-agent x86_64 2:2.6.1-1.fc24 updates 191 k qemu-img x86_64 2:2.6.1-1.fc24 updates 828 k qemu-kvm x86_64 2:2.6.1-1.fc24 updates 62 k qemu-system-aarch64 x86_64 2:2.6.1-1.fc24 updates 2.5 M qemu-system-alpha x86_64 2:2.6.1-1.fc24 updates 1.9 M qemu-system-arm x86_64 2:2.6.1-1.fc24 updates 2.5 M qemu-system-cris x86_64 2:2.6.1-1.fc24 updates 1.4 M qemu-system-lm32 x86_64 2:2.6.1-1.fc24 updates 1.4 M qemu-system-m68k x86_64 2:2.6.1-1.fc24 updates 1.9 M qemu-system-microblaze x86_64 2:2.6.1-1.fc24 updates 2.7 M qemu-system-mips x86_64 2:2.6.1-1.fc24 updates 8.4 M qemu-system-moxie x86_64 2:2.6.1-1.fc24 updates 1.4 M qemu-system-or32 x86_64 2:2.6.1-1.fc24 updates 1.4 M qemu-system-ppc x86_64 2:2.6.1-1.fc24 updates 6.8 M qemu-system-s390x x86_64 2:2.6.1-1.fc24 updates 1.7 M qemu-system-sh4 x86_64 2:2.6.1-1.fc24 updates 3.7 M qemu-system-sparc x86_64 2:2.6.1-1.fc24 updates 3.3 M qemu-system-tricore x86_64 2:2.6.1-1.fc24 updates 1.4 M qemu-system-unicore32 x86_64 2:2.6.1-1.fc24 updates 1.4 M qemu-system-x86 x86_64 2:2.6.1-1.fc24 updates 4.5 M qemu-system-xtensa x86_64 2:2.6.1-1.fc24 updates 2.7 M qemu-user x86_64 2:2.6.1-1.fc24 updates 8.3 M qemu-user-binfmt x86_64 2:2.6.1-1.fc24 updates 66 k redhat-rpm-config noarch 41-2.fc24 updates 60 k Transaction Summary ============================================================================================================================================================================================= Install 1 Package Upgrade 55 Packages Total size: 81 M Downloading Packages: [SKIPPED] fpc-srpm-macros-1.0-1.fc24.noarch.rpm: Already downloaded [SKIPPED] OpenImageIO-1.6.16-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-1.14.2-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-extensions-1.14.2-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-schemas-1.14.2-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-beesu-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-extensions-common-1.14.1-1.fc24.noarch.rpm: Already downloaded [SKIPPED] caja-wallpaper-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-share-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-sendto-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-open-terminal-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] caja-image-converter-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] eog-3.20.4-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] firewall-applet-0.4.3.3-1.fc24.noarch.rpm: Already downloaded [SKIPPED] firewall-config-0.4.3.3-1.fc24.noarch.rpm: Already downloaded [SKIPPED] firewalld-0.4.3.3-1.fc24.noarch.rpm: Already downloaded [SKIPPED] firewalld-filesystem-0.4.3.3-1.fc24.noarch.rpm: Already downloaded [SKIPPED] python3-firewall-0.4.3.3-1.fc24.noarch.rpm: Already downloaded [SKIPPED] libavc1394-0.5.4-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] libevdev-1.5.3-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] libgweather-3.20.2-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-control-center-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-control-center-filesystem-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-desktop-1.14.1-4.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-desktop-libs-1.14.1-4.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-media-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-panel-1.14.2-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-panel-libs-1.14.2-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-settings-daemon-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] mate-system-monitor-1.14.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-img-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-aarch64-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-alpha-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-arm-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-cris-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-lm32-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-m68k-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-microblaze-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-mips-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-moxie-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-or32-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-ppc-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-s390x-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-sh4-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-sparc-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-tricore-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-unicore32-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-x86-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-system-xtensa-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-user-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-common-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-kvm-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-user-binfmt-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] qemu-guest-agent-2.6.1-1.fc24.x86_64.rpm: Already downloaded [SKIPPED] redhat-rpm-config-41-2.fc24.noarch.rpm: Already downloaded Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Failed to obtain the transaction lock (logged in as: root). The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'dnf clean packages'. Error: Could not run transaction. [juergen@nadhh ~]$
*** Bug 1369954 has been marked as a duplicate of this bug. ***
(In reply to Michael Kuhn from comment #6) > I have the same problem. Installing the following module package works for > me: > > module xxx-virt 1.0; > > require { > type systemd_machined_t; > type init_t; > class system start; > } > > #============= systemd_machined_t ============== > allow systemd_machined_t init_t:system start; This worked, thanks Michael Kuhn
I enabled updates-testing and then updated to: selinux-policy.noarch 3.13.1-191.13.fc24 @updates-testing selinux-policy-targeted.noarch 3.13.1-191.13.fc24 @updates-testing Then disabled updates-testing, updated the other packages from the normal updates repo. Then i did a reboot. I can start VMs normally. So it seems fixed. Thanks.
I am also experiencing this issue. I've enabled updates-testing, but I can't see the updated package currently.
The selinux-policy and selinux policy-targeted 3.13.1-191.13.fc24 is working. Here is how to update via dnf : #dnf --disablerepo=* --enablerepo=updates-testing update selinux-policy-targeted
selinux-policy-3.13.1-191.13.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.