Hide Forgot
I'm not in a position to upgrade this box, so my apologies if this has already been handled, but: On an F24 box with unconfined disabled, this: $ sudo virsh start vrici error: Failed to start domain vrici error: Failed to recv file descriptor: Permission denied Generates this: type=AVC msg=audit(1480978952.178:3957): avc: denied { rlimitinh } for pid=13405 comm="numad" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480978952.178:3958): avc: denied { siginh } for pid=13405 comm="numad" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480978952.178:3959): avc: denied { noatsecure } for pid=13405 comm="numad" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=process permissive=1 type=AVC msg=audit(1480978954.213:3960): avc: denied { write } for pid=2088 comm="libvirtd" path="pipe:[680258]" dev="pipefs" ino=680258 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 type=AVC msg=audit(1480978954.214:3961): avc: denied { wake_alarm } for pid=1339 comm="systemd-udevd" capability=35 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 type=AVC msg=audit(1480978954.327:3965): avc: denied { getattr } for pid=2088 comm="libvirtd" path="pipe:[680258]" dev="pipefs" ino=680258 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 type=AVC msg=audit(1480978954.379:3970): avc: denied { ioctl } for pid=13420 comm="grep" path="pipe:[680258]" dev="pipefs" ino=680258 ioctlcmd=0x5401 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 type=AVC msg=audit(1480978954.621:3971): avc: denied { write } for pid=13410 comm="qemu-system-x86" name="memfd:test" dev="tmpfs" ino=673769 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1480978954.621:3972): avc: denied { read } for pid=13410 comm="qemu-system-x86" path=2F6D656D66643A74657374202864656C6574656429 dev="tmpfs" ino=673769 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Do you need any additional input here?
I think https://github.com/fedora-selinux/selinux-policy/pull/179 will fix your issue.
Thanks Dan.
selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Confirmed working. Thanks!