Created attachment 1636420 [details] vm xml and virtproxyd log Description of problem: As subject Version-Release number of selected component (if applicable): libvirt-5.9.0-2.module+el8.2.0+4683+7e10e783.x86_64 How reproducible: 100% Steps to Reproduce: 1. Stop libvirtd # systemctl stop libvirtd.socket libvirtd 2. Set /etc/libvirt/virtproxyd.conf to gather logs: # cat /etc/libvirt/virtproxyd.conf log_level = 3 log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" log_outputs="1:file:/var/log/libvirt/virtproxyd.log" 3. Start virtlogd virtqemud virtproxyd, then start vm # systemctl start virtqemud virtproxyd virtlogd virtqemud.socket virtproxyd.socket virtlogd.socket # virsh start q35 error: Failed to start domain q35 error: can't connect to virtlogd: Cannot recv data: Connection reset by peer Actual results: As above Expected results: Vm started Additional info:
Can you confirm if SELinux is enforcing ? If so, does it work when in poermissive mode
(In reply to Daniel Berrangé from comment #1) > Can you confirm if SELinux is enforcing ? > > If so, does it work when in poermissive mode Yes. Works on permissive. The audit log: type=AVC msg=audit(1573883972.564:1092): avc: denied { search } for pid=21582 comm="qemu-kvm" name="21316" dev="proc" ino=282393 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1573883972.564:1093): avc: denied { read } for pid=21582 comm="qemu-kvm" name="cmdline" dev="proc" ino=282489 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.564:1094): avc: denied { open } for pid=21582 comm="qemu-kvm" path="/proc/21316/cmdline" dev="proc" ino=282489 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.564:1095): avc: denied { getattr } for pid=21582 comm="qemu-kvm" path="/proc/21316/cmdline" dev="proc" ino=282489 scontext=system_u:system_r:svirt_t:s0:c348,c845 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.765:1096): avc: denied { search } for pid=19531 comm="virtlogd" name="21316" dev="proc" ino=282393 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1573883972.765:1097): avc: denied { read } for pid=19531 comm="virtlogd" name="stat" dev="proc" ino=282866 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573883972.765:1098): avc: denied { open } for pid=19531 comm="virtlogd" path="/proc/21316/stat" dev="proc" ino=282866 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
Ok, yes, this is becasue the new split daemons don't have selinux policy rules set yet. There should be a new selinux policy in 8.2 that fixes this https://bugzilla.redhat.com/show_bug.cgi?id=1745076
Verified with: libvirt-6.0.0-2.module+el8.2.0+5513+34927b6c.x86_64 selinux-policy-3.14.3-38.el8.noarch Test steps: 1. Stop libvirtd # systemctl stop libvirtd.socket libvirtd 2. Set /etc/libvirt/virtproxyd.conf to gather logs: # cat /etc/libvirt/virtproxyd.conf log_level = 3 log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" log_outputs="1:file:/var/log/libvirt/virtproxyd.log" 3. Start virtlogd virtqemud virtproxyd, then start vm # systemctl start virtqemud virtproxyd virtlogd virtqemud.socket virtproxyd.socket virtlogd.socket 4.Start a guest: #virsh start vm Domain vm started 5.Start virtstoraged service: #systemctl start virtstoraged 6.Destroy default pool: # virsh pool-list Name State Autostart ------------------------------- default active no # virsh pool-destroy default Pool default destroyed 7.Start virtnetworkd service: #systemctl start virtnetworkd 8.Destroy default network: # virsh net-list Name State Autostart Persistent -------------------------------------------- default active yes yes # virsh net-destroy default Network default destroyed 8.Start virtnwfilterd servie: # systemctl start virtnwfilterd 9.Define a nwfilter: # virsh nwfilter-define /root/filter.xml Network filter disallow-arp defined from /root/filter.xml 10.Start virtsecretd service: #systemctl start virtsecretd 11.Define a secret and set value: # virsh secret-define secret.xml Secret 0daa1a35-5599-4a06-8cd1-6a3751912e61 created # virsh secret-list UUID Usage ---------------------------------------------------------------------------------- 0daa1a35-5599-4a06-8cd1-6a3751912e61 volume /var/lib/libvirt/images/rhel6.img # MYSECRET=`echo "red hat" | base64` # virsh secret-set-value 0daa1a35-5599-4a06-8cd1-6a3751912e61 $MYSECRET Secret value set
Changing this TestOnly BZ as CLOSED CURRENTRELEASE. Please reopen if the issue is not resolved.