Description of problem: After installing package to qcow2 image dhclient fails to run. Version-Release number of selected component (if applicable): selinux-policy-3.14.2-16.fc29.noarch How reproducible: 100% Steps to Reproduce: 1. Download qcow2 image # wget https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/x86_64/images/Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 # /usr/bin/qemu-system-x86_64 -cpu host -m 1024 Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 -enable-kvm -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp:127.0.0.3:2222-:22 -device virtio-rng-pci -rtc base=utc -device isa-serial,chardev=pts2 -chardev file,id=pts2,path=image.log 2. (different terminal check image.log) # tail -f image.log [ 13.085798] cloud-init[754]: Cloud-init v. 17.1 running 'init' at Thu, 03 May 2018 06:49:04 +0000. Up 12.35 seconds. [ 13.087203] cloud-init[754]: ci-info: +++++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++++ [ 13.088555] cloud-init[754]: ci-info: +--------+------+-----------+---------------+-------+-------------------+ [ 13.089995] cloud-init[754]: ci-info: | Device | Up | Address | Mask | Scope | Hw-Address | [ 13.091491] cloud-init[754]: ci-info: +--------+------+-----------+---------------+-------+-------------------+ [ 13.093044] cloud-init[754]: ci-info: | eth0: | True | 10.0.2.15 | 255.255.255.0 | . | 52:54:00:12:34:56 | [ 13.094605] cloud-init[754]: ci-info: | eth0: | True | . | . | d | 52:54:00:12:34:56 | [ 13.096114] cloud-init[754]: ci-info: | lo: | True | 127.0.0.1 | 255.0.0.0 | . | . | [ 13.097706] cloud-init[754]: ci-info: | lo: | True | . | . | d | . | [ 13.099207] cloud-init[754]: ci-info: +--------+------+-----------+---------------+-------+-------------------+ [ 13.100712] cloud-init[754]: ci-info: +++++++++++++++++++++++++++Route IPv4 info++++++++++++++++++++++++++++ [ 13.103121] cloud-init[754]: ci-info: +-------+-------------+----------+---------------+-----------+-------+ [ 13.104831] cloud-init[754]: ci-info: | Route | Destination | Gateway | Genmask | Interface | Flags | [ 13.106786] cloud-init[754]: ci-info: +-------+-------------+----------+---------------+-----------+-------+ [ 13.109189] cloud-init[754]: ci-info: | 0 | 0.0.0.0 | 10.0.2.2 | 0.0.0.0 | eth0 | UG | [ 13.110604] cloud-init[754]: ci-info: | 1 | 10.0.2.0 | 0.0.0.0 | 255.255.255.0 | eth0 | U | [ 13.112078] cloud-init[754]: ci-info: +-------+-------------+----------+---------------+-----------+-------+ 3. terminate /usr/bin/qemu-system-x86_64 4. install package to qcow2 # virt-customize -a Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 --run-command "dnf install -y nss-tools" 5. Bring VM back up again # /usr/bin/qemu-system-x86_64 -cpu host -m 1024 Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 -enable-kvm -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp:127.0.0.3:2222-:22 -device virtio-rng-pci -rtc base=utc -device isa-serial,chardev=pts2 -chardev file,id=pts2,path=image.log 6. check image.log [ 10.376120] cloud-init[646]: Cloud-init v. 17.1 running 'init' at Thu, 03 May 2018 06:56:18 +0000. Up 9.63 seconds. [ 10.377602] cloud-init[646]: ci-info: +++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++ [ 10.378775] cloud-init[646]: ci-info: +--------+------+-----------+-----------+-------+-------------------+ [ 10.379908] cloud-init[646]: ci-info: | Device | Up | Address | Mask | Scope | Hw-Address | [ 10.381162] cloud-init[646]: ci-info: +--------+------+-----------+-----------+-------+-------------------+ [ 10.382526] cloud-init[646]: ci-info: | eth0: | True | . | . | . | 52:54:00:12:34:56 | [ 10.384089] cloud-init[646]: ci-info: | eth0: | True | . | . | d | 52:54:00:12:34:56 | [ 10.385495] cloud-init[646]: ci-info: | lo: | True | 127.0.0.1 | 255.0.0.0 | . | . | [ 10.386899] cloud-init[646]: ci-info: | lo: | True | . | . | d | . | [ 10.388447] cloud-init[646]: ci-info: +--------+------+-----------+-----------+-------+-------------------+ 7. eth0 does not get IP address 8. from QEMU window is possible to login to the server user root and password is foobar check for AVC denied message on /var/log/audit.login disable selinux # setenforce 0 run dhclient manually # dhclient 9. Now it is possible to login to the server with ssh # ssh -p 2222 root.0.3 # grep denied /var/log/audit/audit.log type=AVC msg=audit(1525331562.483:81): avc: denied { read } for pid=398 comm="audispd" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1525331562.581:83): avc: denied { unlink } for pid=394 comm="ldconfig" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1525331562.626:85): avc: denied { map } for pid=406 comm="systemd-update-" path="/etc/ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1525331562.772:90): avc: denied { map } for pid=429 comm="systemd-update-" path="/etc/ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1525331562.835:93): avc: denied { read } for pid=430 comm="sshd-keygen" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1525331562.849:94): avc: denied { read } for pid=432 comm="rm" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:sshd_keygen_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1525331562.849:95): avc: denied { open } for pid=431 comm="dbus-daemon" path="/etc/ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 <snip> type=AVC msg=audit(1525331565.805:138): avc: denied { read } for pid=651 comm="ip" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 type=AVC msg=audit(1525331565.815:139): avc: denied { read } for pid=654 comm="dhclient" name="ld.so.cache" dev="sda1" ino=132411 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Actual results: dhclient: error while loading shared libraries: libirs-export.so.160: cannot open shared object file: No such file or directory Expected results: dhclient should run and server boot with IP Additional info: ** Workaround, disable selinux # virt-customize -a Fedora-Cloud-Base-Rawhide-20180502.n.0.x86_64.qcow2 --run-command "sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux"
Created attachment 1430503 [details] cloud-init.iso cloud_init.iso file used during /usr/bin/qemu-system-x86_64
Created attachment 1430515 [details] all denied messages all denied messages from /var/log/audit/audit.log including the ones after disabling selinux.
Closing it as not a bug as I should use virt-customize with --selinux-relabel option.