Description of problem: RHOS14 , 3 contorllers and 2 computes. ------------------------------------------------------------------------------ SELinux is preventing /usr/sbin/libvirtd from entrypoint access on the file /usr/libexec/qemu-kvm. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /usr/libexec/qemu-kvm default label should be qemu_exec_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /usr/libexec/qemu-kvm ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that libvirtd should be allowed entrypoint access on the qemu-kvm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'libvirtd' --raw | audit2allow -M my-libvirtd # semodule -i my-libvirtd.pp Additional Information: Source Context system_u:system_r:svirt_tcg_t:s0:c406,c900 Target Context system_u:object_r:container_share_t:s0 Target Objects /usr/libexec/qemu-kvm [ file ] Source libvirtd Source Path /usr/sbin/libvirtd Port <Unknown> Host <Unknown> Source RPM Packages libvirt-daemon-4.5.0-10.el7_6.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-229.el7_6.5.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name compute-0 Platform Linux compute-0 3.10.0-957.el7.x86_64 #1 SMP Thu Oct 4 20:48:51 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-11-19 17:12:48 UTC Last Seen 2018-11-19 17:12:48 UTC Local ID 2ccc2d38-44df-4dc7-a568-571ff9144c89 Raw Audit Messages type=AVC msg=audit(1542647568.835:3798): avc: denied { entrypoint } for pid=77210 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=33653770 scontext=system_u:system_r:svirt_tcg_t:s0:c406,c900 tcontext=system_u:object_r:container_share_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1542647568.835:3798): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f690c00b220 a1=7f690c00a3c0 a2=7f690c00ac30 a3=8 items=0 ppid=43271 pid=77210 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:spc_t:s0 key=(null) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
[root@localhost openstack-selinux]# audit2allow type=AVC msg=audit(1542647568.835:3798): avc: denied { entrypoint } for pid=77210 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="vda2" ino=33653770 scontext=system_u:system_r:svirt_tcg_t:s0:c406,c900 tcontext=system_u:object_r:container_share_t:s0 tclass=file permissive=0 #============= svirt_tcg_t ============== allow svirt_tcg_t container_share_t:file entrypoint; 0.8.15 has allows for this, but the DLRN build predates the required change. The DLRN build is from upstream commit commit 4a047a052cb174f2ff055b7be4513c95575d40a5. The next two commits in the chain fix this, so it should be working with the 0.8.15-1 build. I've tagged the build over since Zoli has already built it for OSP13 and prior.
Adding background info, bug happens when booting a VM using qemu rather then default KVM.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:0045