Bug 1369199 - VM can't be started because of selinux
Summary: VM can't be started because of selinux
Keywords:
Status: CLOSED DUPLICATE of bug 1368745
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1368959 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-22 16:10 UTC by jniederm
Modified: 2016-08-23 11:04 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-23 11:04:01 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
update info.txt (14.82 KB, text/plain)
2016-08-22 16:10 UTC, jniederm 		no flags Details
View All

Description jniederm 2016-08-22 16:10:42 UTC 
Created attachment 1192967 [details]
update info.txt

Description of problem:
VM's can't be started neither form virt-manager gui nor from virsh because of selinux. The problem appeared after update and reboot (see attachments for update description).

Version-Release number of selected component (if applicable):
libvirt-daemon.x86_64                     1.3.3.2-1.fc24                @updates
selinux-policy.noarch                     3.13.1-191.12.fc24            @updates
selinux-policy-targeted.noarch            3.13.1-191.12.fc24            @updates
systemd-container.x86_64                  229-13.fc24                   @updates
virt-manager.noarch                       1.4.0-3.fc24                  @updates

How reproducible:
100%

Steps to Reproduce:
1. Make sure there is working vm in virt-manager
2. Start the vm in virt-manager

Actual results:
Error popup "Selinux policy denies access" with python stacktrace:
Error starting domain: SELinux policy denies access.

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 124, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 83, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1404, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: SELinux policy denies access.



Expected results:
VM started

Additional info:
Comment 1 jniederm 2016-08-22 16:14:32 UTC 
from /var/log/audit/audit.log:

type=USER_AVC msg=audit(1471881821.995:560): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 2 Jiri Denemark 2016-08-22 18:40:36 UTC 
*** Bug 1368959 has been marked as a duplicate of this bug. ***
Comment 3 Jiri Denemark 2016-08-22 18:45:09 UTC 
Apparently, things broke after selinux-policy had been updated, libvirt was not updated at all.
Comment 4 Daniel Walsh 2016-08-23 09:20:57 UTC 
Try turning off the dontaudit rules

semodule -DB

And try again. Then check the avc's to see if there is anything related to virt or qemu.

Turn the dontaudit rules back on with:

semodule -B
Comment 5 Jan Vlug 2016-08-23 10:01:50 UTC 
Duplicate of bug 1368745?
Comment 6 Daniel Walsh 2016-08-23 11:04:01 UTC 

*** This bug has been marked as a duplicate of bug 1368745 ***
Note You need to log in before you can comment on or make changes to this bug.