Description of problem: Unable to startup VMs in virt-manager unless firewalld is stopped first. Version-Release number of selected component (if applicable): firewalld-0.8.0-1.fc32.noarch python3-firewall-0.8.0-1.fc32.noarch python3-nftables-0.9.3-1.fc32.x86_64 nftables-0.9.3-1.fc32.x86_64 How reproducible: Always Steps to Reproduce: 1. Try to create a VM using virt-manager 2. NAT is "inactive" probably due to prior errors, when virt-manager asks to make it active, it results in more errors (see screenshot). VM can't be started. 3. Actual results: VM can't be started. Expected results: libvirt should be able to make NAT active by default for VM's out of the box. Additional info:
Created attachment 1648276 [details] journal
Created attachment 1648277 [details] screenshot
Proposed as a Blocker for 32-beta by Fedora user chrismurphy using the blocker tracking app because: Beta: "The release must be able host virtual guest instances of the same release." Basic says the release must install and boot as a guest of a host running the current release. So that doesn't apply.
The logs show initial firewalld errors: [ 16.756380] fmac.local firewalld[838]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Operation not supported ... JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "ip", "name": "firewalld"}}}, {"add": {"table": {"family": "ip6", "name": "firewalld"}}}]} These are the very first rules generated by firewalld and they're simply adding the top-level tables. This may be completely unrelated to libvirt. Getting EOPNOTSUPP at this point is weird. There was also an AVC denial for modprobe. This might explain the EOPNOTSUPP: [ 16.254448] fmac.local audit[932]: AVC avc: denied { nnp_transition } for pid=932 comm="(modprobe)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kmod_t:s0 tclass=process2 permissive=0 Can you try it again with setenforce=0 ?
I forgot to mention, you'll have to setenforce=0, then restart firewalld and libvirt before trying again.
Confirmed, it boots with enforcing=0 or selinux=0.
commit 789c6593214fa10b15d2c628822cffe985417f5a Author: Zdenek Pytela <zpytela> Date: Wed Dec 18 14:36:14 2019 +0100 Allow init_t nnp domain transition to kmod_t
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
At the blocker review meeting on Monday cmurf confirmed this is fixed now, so closing.