Description of problem: Trying spice-server compiled with --enable-statistics Qemu launched by libvirt fails to map a shared memory object. Version-Release number of selected component (if applicable): libvirt-3.7.0-2.fc27.x86_64 selinux-policy-targeted-3.13.1-283.14.fc27.noarch How reproducible: Always Steps to Reproduce: This used reproduced with a custom build of spice-server (master) with --enable-statistics used. Basically the program do in sequence: - shm_open read/write (shm_open(stat_file->shm_name, O_CREAT | O_RDWR, 0444)) - ftruncate to get some space in the file - mmap call (mmap(NULL, shm_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) Actual results: The error from SELinux is type=AVC msg=audit(1511118431.984:955): avc: denied { map } for pid=14901 comm="qemu-system-x86" path="/dev/shm/spice.14901" dev="tmpfs" ino=386800 scontext=system_u:system_r:svirt_t:s0:c226,c673 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=0 Expected results: No error. Additional info: Talked in IRC with #virt team and asked if was expected and we agreed to open a bug report.
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Was this selinux-policy-3.13.1-283.17.fc27 supposed to address this specific issue? It does not work for me, still getting the same error.
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Tested the new package, is now working.
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.