Bug 1390345 - libvirt cannot start machine w/ backing file & SELinux enabled
Summary: libvirt cannot start machine w/ backing file & SELinux enabled
Keywords:
Status: NEW
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-31 18:34 UTC by Nelson Araujo
Modified: 2018-07-18 15:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nelson Araujo 2016-10-31 18:34:19 UTC 
Description of problem:

With SELinux in Enforcing mode


Version-Release number of selected component (if applicable):

libvirt-1.3.3.2-1.fc24.x86_64
kernel-4.7.9-200.fc24.x86_64
selinux-policy-targeted-3.13.1-191.19.fc24.noarch


How reproducible:
100%


Steps to Reproduce:
1. Create a .qcow2 image with a backing file
2. Set SELinux to Enforcing mode
3. Start the VM: "virsh start mymachine"

Actual results:

Access denied while accessing the template file.


Expected results:

VM to start


Additional info:

When libvirt attempts to start the VM, it sets a label with a ":s0:cXXX.cYYY" to the machine image. Although the template is "r--r--r--" and it is ":s0", and qemu user can access the machine it gets access denied.

type=AVC msg=audit(1477934362.744:2180): avc:  denied  { read } for  pid=19743 comm="qemu-system-x86" name="vm" dev="dm-2" ino=499679 scontext=system_u:system_r:svirt_t:s0:c284,c779 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file permissive=0

By creating an image without the backing file (and no other changes) the VM starts successfully.
Note You need to log in before you can comment on or make changes to this bug.