Description of problem: Version-Release number of selected component (if applicable): libvirt-8.6.0-5.fc37.x86_64 qemu-kvm-2:7.0.0-13.fc37.x86_64 selinux-policy-37.18-1.fc37.x86_64 How reproducible: Steps to Reproduce: 1. With a regular user define a new VM using Gnome Boxes 2. Update the XML definition to use SWTPM and hugepages as memoryBacking 3. Configure HugeTLB Huge Pages accordingly Actual results: VM wont start because: type=AVC msg=audit(1674832522.228:324): avc: denied { unlink } for pid=5359 comm="swtpm" name="4-win10-swtpm.sock" dev="tmpfs" ino=600 scontext=unconfined_u:unconfined_r:svirt_t:s0:c102,c906 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 Wich in turns end up being reported as: Jan 27 09:07:21 mawahost virtqemud[3733]: internal error: hugetlbfs filesystem is not mounted or disabled by administrator config Jan 27 09:07:21 mawahost virsh[4600]: 4600: error : virNetClientProgramDispatchError:172 : internal error: hugetlbfs filesystem is not mounted or disabled by administrator config Expected results: VM starts whitout problems and using the reserved hugepages configured Additional info: Yes, hugetlbfs IS mounted: Jan 27 09:02:17 mawahost systemd[1]: Mounting dev-hugepages.mount - Huge Pages File System... Jan 27 09:02:17 mawahost systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.
Hello, Do you happen to know which process created the file in question? Can you reproduce the issue with full auditing enabled? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
(In reply to Zdenek Pytela from comment #1) > Hello, > > Do you happen to know which process created the file in question? > Can you reproduce the issue with full auditing enabled? > > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today Hi, yes of course, here's the output: journalctl Jan 30 09:32:52 mawahost virtqemud[4009]: libvirt version: 8.6.0, package: 5.fc37 (Fedora Project, 2022-11-20-18:43:33, ) Jan 30 09:32:52 mawahost virtqemud[4009]: hostname: mawahost Jan 30 09:32:52 mawahost virtqemud[4009]: internal error: hugetlbfs filesystem is not mounted or disabled by administrator config ausearch type=PROCTITLE msg=audit(01/30/2023 09:32:52.092:300) : proctitle=/usr/bin/swtpm socket --ctrl type=unixio,path=/run/user/1000/libvirt/qemu/run/swtpm/1-win10-swtpm.sock,mode=0600 --tpmstate dir= type=PATH msg=audit(01/30/2023 09:32:52.092:300) : item=1 name=/run/user/1000/libvirt/qemu/run/swtpm/1-win10-swtpm.sock inode=243 dev=00:43 mode=socket,600 ouid=mawa ogid=mawa rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/30/2023 09:32:52.092:300) : item=0 name=/run/user/1000/libvirt/qemu/run/swtpm/ inode=239 dev=00:43 mode=dir,770 ouid=mawa ogid=mawa rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/30/2023 09:32:52.092:300) : cwd=/ type=SYSCALL msg=audit(01/30/2023 09:32:52.092:300) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x55894edf7f00 a1=0x0 a2=0x1 a3=0x8 items=2 ppid=2180 pid=4097 auid=mawa uid=mawa gid=mawa euid=mawa suid=mawa fsuid=mawa egid=mawa sgid=mawa fsgid=mawa tty=(none) ses=3 comm=swtpm exe=/usr/bin/swtpm subj=unconfined_u:unconfined_r:svirt_t:s0:c274,c740 key=(null) type=AVC msg=audit(01/30/2023 09:32:52.092:300) : avc: denied { unlink } for pid=4097 comm=swtpm name=1-win10-swtpm.sock dev="tmpfs" ino=243 scontext=unconfined_u:unconfined_r:svirt_t:s0:c274,c740 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 About which process created 1-win10-swtpm.sock it had to be swtpm
This is a problem of swtpm's SElinux policy. I was able to recreate the SELinux denial by adding a memoryBacking node to the libvirt domain XML: <currentMemory unit='KiB'>2097152</currentMemory> <memoryBacking> <hugepages> <page size='2048' unit='KiB'/> </hugepages> </memoryBacking> <vcpu placement='static'>4</vcpu> Even though the SELinux related error is gonve the VM does not start: > virsh start testvm error: Failed to start domain 'testvm' error: internal error: hugetlbfs filesystem is not mounted or disabled by administrator config The fix in swtpm's SELinux policy looks like this: -allow svirt_t user_tmp_t:sock_file { create setattr }; +allow svirt_t user_tmp_t:sock_file { create setattr unlink }; If you have comments regarding this fix, please let me know here: https://github.com/stefanberger/swtpm/pull/813
FEDORA-2023-264d50ec35 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-264d50ec35
FEDORA-2023-264d50ec35 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-264d50ec35` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-264d50ec35 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-264d50ec35 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.