Fedora Account System
Red Hat Associate
Red Hat Customer
Versions: kernel-6.7.1-200.fc39.x86_64 selinux-policy-40.10-1.fc40.noarch libvirt-10.0.0-3.fc40.x86_64 virt-install-4.1.0-5.fc40.noarch qemu-kvm-8.2.0-7.fc40.x86_64 Reproducible: Always Steps to Reproduce: 1. Start a domain by virt-install # virt-install --transient --install fedora39 -n test --disk none -r 2048 --graphic none Using fedora39 --location https://download.fedoraproject.org/pub/fedora/linux/releases/39/Everything/x86_64/os It doesn't work when `setenforce 0`, either. Starting install... Retrieving 'vmlinuz' | 6.8 MB 00:00:00 ... Retrieving 'initrd.img' | 97 MB 00:00:02 ... ERROR can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///system start test otherwise, please restart your installation Actual Results: As above Expected Results: No error AVC denial error in /var/log/message: Feb 4 11:46:01 dell-per440-16 systemd[8873]: Started tmux-spawn-7cbb26c8-44b4-41ad-882d-dc140252a6c5.scope - tmux child pane 14071 launched by process 8922. Feb 4 11:46:01 dell-per440-16 audit: BPF prog-id=175 op=LOAD Feb 4 11:46:01 dell-per440-16 audit: BPF prog-id=176 op=LOAD Feb 4 11:46:01 dell-per440-16 audit: BPF prog-id=177 op=LOAD Feb 4 11:46:01 dell-per440-16 systemd[1]: Starting systemd-hostnamed.service - Hostname Service... Feb 4 11:46:01 dell-per440-16 systemd[1]: Started systemd-hostnamed.service - Hostname Service. Feb 4 11:46:01 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:04.080Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[0]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[1]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:04.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:04.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:14 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:14.080Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:14 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:14.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:14 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:14.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:14 dell-per440-16 systemd[1]: Starting virtqemud.service - libvirt QEMU daemon... Feb 4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: info : libvirt version: 10.0.0, package: 3.fc40 (Fedora Project, 2024-01-25-04:04:02, ) Feb 4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: info : hostname: dell-per440-16.lab.eng.pek2.redhat.com Feb 4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: debug : virLogParseOutputs:1638 : outputs=1:file:/var/log/libvirt/virtqemud.log Feb 4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: debug : virLogParseOutput:1485 : output=1:file:/var/log/libvirt/virtqemud.log Feb 4 11:46:14 dell-per440-16 systemd[1]: Started virtqemud.service - libvirt QEMU daemon. Feb 4 11:46:14 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtqemud comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:24 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:24.081Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:24 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:24.082Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:24 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:24.082Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:26 dell-per440-16 audit[14100]: AVC avc: denied { execute } for pid=14100 comm="rpc-virtqemud" name="swtpm" dev="sda3" ino=21893807 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Feb 4 11:46:26 dell-per440-16 audit[14344]: AVC avc: denied { execute_no_trans } for pid=14344 comm="swtpm_setup" path="/usr/bin/swtpm" dev="sda3" ino=21893807 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Feb 4 11:46:26 dell-per440-16 audit[14344]: AVC avc: denied { map } for pid=14344 comm="swtpm" path="/usr/bin/swtpm" dev="sda3" ino=21893807 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Feb 4 11:46:26 dell-per440-16 systemd[1]: Starting virtstoraged.service - libvirt storage daemon... Feb 4 11:46:26 dell-per440-16 systemd[1]: Started virtstoraged.service - libvirt storage daemon. Feb 4 11:46:26 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtstoraged comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:28 dell-per440-16 systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs... Feb 4 11:46:28 dell-per440-16 systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs. Feb 4 11:46:28 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:28 dell-per440-16 audit[14368]: AVC avc: denied { create } for pid=14368 comm="locate" anonclass=[io_uring] scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 Feb 4 11:46:28 dell-per440-16 systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged. Feb 4 11:46:28 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@7 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:29 dell-per440-16 audit[14100]: VIRT_MACHINE_ID pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d vm-ctx=system_u:system_r:svirt_t:s0:c224,c785 img-ctx=system_u:object_r:svirt_image_t:s0:c224,c785 model=selinux exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' Feb 4 11:46:29 dell-per440-16 audit[14100]: VIRT_MACHINE_ID pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d vm-ctx=+107:+107 img-ctx=+107:+107 model=dac exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' Feb 4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: Found left-over process 12849 (dnsmasq) in control group while starting unit. Ignoring. Feb 4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: This usually indicates unclean termination of a previous run, or service implementation deficiencies. Feb 4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: Found left-over process 12850 (dnsmasq) in control group while starting unit. Ignoring. Feb 4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: This usually indicates unclean termination of a previous run, or service implementation deficiencies. Feb 4 11:46:29 dell-per440-16 systemd[1]: Starting virtnetworkd.service - libvirt network daemon... Feb 4 11:46:29 dell-per440-16 systemd[1]: Started virtnetworkd.service - libvirt network daemon. Feb 4 11:46:29 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtnetworkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:29 dell-per440-16 audit[14407]: NETFILTER_CFG table=mangle:49 family=2 entries=1 op=nft_unregister_rule pid=14407 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14408]: NETFILTER_CFG table=nat:50 family=2 entries=1 op=nft_unregister_rule pid=14408 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14409]: NETFILTER_CFG table=nat:51 family=2 entries=1 op=nft_unregister_rule pid=14409 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14411]: NETFILTER_CFG table=nat:52 family=2 entries=1 op=nft_unregister_rule pid=14411 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14412]: NETFILTER_CFG table=nat:53 family=2 entries=1 op=nft_unregister_rule pid=14412 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14413]: NETFILTER_CFG table=nat:54 family=2 entries=1 op=nft_unregister_rule pid=14413 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14414]: NETFILTER_CFG table=filter:55 family=2 entries=1 op=nft_unregister_rule pid=14414 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14415]: NETFILTER_CFG table=filter:56 family=2 entries=1 op=nft_unregister_rule pid=14415 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from execute access on the file /usr/bin/swtpm. For complete SELinux messages run: sealert -l 3daa71c5-0366-4fce-95fa-ef47385d4aa9 Feb 4 11:46:29 dell-per440-16 audit[14416]: NETFILTER_CFG table=filter:57 family=2 entries=1 op=nft_unregister_rule pid=14416 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14417]: NETFILTER_CFG table=filter:58 family=2 entries=1 op=nft_unregister_rule pid=14417 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from execute access on the file /usr/bin/swtpm.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that rpc-virtqemud should be allowed execute access on the swtpm file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud#012# semodule -X 300 -i my-rpcvirtqemud.pp#012 Feb 4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm_setup from execute_no_trans access on the file /usr/bin/swtpm. For complete SELinux messages run: sealert -l d869c2c3-29e3-46f7-84c3-c01fd2d4097b Feb 4 11:46:29 dell-per440-16 audit[14418]: NETFILTER_CFG table=filter:59 family=2 entries=1 op=nft_unregister_rule pid=14418 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14419]: NETFILTER_CFG table=filter:60 family=2 entries=1 op=nft_unregister_rule pid=14419 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm_setup from execute_no_trans access on the file /usr/bin/swtpm.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that swtpm_setup should be allowed execute_no_trans access on the swtpm file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'swtpm_setup' --raw | audit2allow -M my-swtpmsetup#012# semodule -X 300 -i my-swtpmsetup.pp#012 Feb 4 11:46:29 dell-per440-16 audit[14420]: NETFILTER_CFG table=filter:61 family=2 entries=1 op=nft_unregister_rule pid=14420 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm from map access on the file /usr/bin/swtpm. For complete SELinux messages run: sealert -l 6c6b7743-ae62-4c2b-9896-37f7422dd6b8 Feb 4 11:46:29 dell-per440-16 audit[14421]: NETFILTER_CFG table=filter:62 family=2 entries=1 op=nft_unregister_rule pid=14421 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm from map access on the file /usr/bin/swtpm.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow domain to can mmap files#012Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.#012#012Do#012setsebool -P domain_can_mmap_files 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that swtpm should be allowed map access on the swtpm file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'swtpm' --raw | audit2allow -M my-swtpm#012# semodule -X 300 -i my-swtpm.pp#012 Feb 4 11:46:29 dell-per440-16 audit[14423]: NETFILTER_CFG table=filter:63 family=2 entries=1 op=nft_unregister_rule pid=14423 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:29 dell-per440-16 audit[14424]: NETFILTER_CFG table=filter:64 family=2 entries=1 op=nft_unregister_rule pid=14424 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14425]: NETFILTER_CFG table=filter:65 family=2 entries=1 op=nft_unregister_rule pid=14425 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 sedispatch[937]: AVC Message regarding setroubleshoot, ignoring message Feb 4 11:46:30 dell-per440-16 audit[14426]: NETFILTER_CFG table=filter:66 family=2 entries=1 op=nft_unregister_rule pid=14426 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14427]: NETFILTER_CFG table=filter:67 family=2 entries=1 op=nft_unregister_rule pid=14427 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14428]: NETFILTER_CFG table=filter:68 family=2 entries=1 op=nft_register_rule pid=14428 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14429]: NETFILTER_CFG table=filter:69 family=2 entries=1 op=nft_register_rule pid=14429 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14430]: NETFILTER_CFG table=filter:70 family=2 entries=1 op=nft_register_rule pid=14430 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14431]: NETFILTER_CFG table=filter:71 family=2 entries=1 op=nft_register_rule pid=14431 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14432]: NETFILTER_CFG table=filter:72 family=2 entries=1 op=nft_register_rule pid=14432 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14433]: NETFILTER_CFG table=filter:73 family=2 entries=1 op=nft_register_rule pid=14433 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14434]: NETFILTER_CFG table=filter:74 family=2 entries=1 op=nft_register_rule pid=14434 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14435]: NETFILTER_CFG table=filter:75 family=2 entries=1 op=nft_register_rule pid=14435 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14436]: NETFILTER_CFG table=filter:76 family=2 entries=1 op=nft_register_rule pid=14436 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14437]: NETFILTER_CFG table=filter:77 family=2 entries=1 op=nft_register_rule pid=14437 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14438]: NETFILTER_CFG table=filter:78 family=2 entries=1 op=nft_register_rule pid=14438 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14439]: NETFILTER_CFG table=filter:79 family=2 entries=1 op=nft_register_rule pid=14439 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14440]: NETFILTER_CFG table=filter:80 family=2 entries=1 op=nft_register_rule pid=14440 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14441]: NETFILTER_CFG table=nat:81 family=2 entries=1 op=nft_register_rule pid=14441 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14442]: NETFILTER_CFG table=nat:82 family=2 entries=1 op=nft_register_rule pid=14442 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14443]: NETFILTER_CFG table=nat:83 family=2 entries=1 op=nft_register_rule pid=14443 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14444]: NETFILTER_CFG table=nat:84 family=2 entries=1 op=nft_register_rule pid=14444 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14445]: NETFILTER_CFG table=nat:85 family=2 entries=1 op=nft_register_rule pid=14445 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 audit[14446]: NETFILTER_CFG table=mangle:86 family=2 entries=1 op=nft_register_rule pid=14446 subj=system_u:system_r:iptables_t:s0 comm="iptables" Feb 4 11:46:30 dell-per440-16 dnsmasq[12849]: read /etc/hosts - 8 names Feb 4 11:46:30 dell-per440-16 dnsmasq[12849]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names Feb 4 11:46:30 dell-per440-16 dnsmasq-dhcp[12849]: read /var/lib/libvirt/dnsmasq/default.hostsfile Feb 4 11:46:30 dell-per440-16 audit[14449]: AVC avc: denied { relabelfrom } for pid=14449 comm="rpc-virtqemud" name="1-test" dev="tmpfs" ino=2458 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 Feb 4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=net reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-net="?" new-net="52:54:00:f8:3b:5f" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' Feb 4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=chardev reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-chardev="?" new-chardev="/run/libvirt/qemu/channel/1-test/org.qemu.guest_agent.0" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' Feb 4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=rng reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-rng="?" new-rng="/dev/urandom" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' Feb 4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=mem reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-mem=0 new-mem=2097152 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' Feb 4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=vcpu reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-vcpu=0 new-vcpu=2 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' Feb 4 11:46:30 dell-per440-16 audit[14100]: VIRT_CONTROL pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm op=start reason=booted vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d vm-pid=0 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=failed' Feb 4 11:46:31 dell-per440-16 systemd[1]: systemd-hostnamed.service: Deactivated successfully. Feb 4 11:46:31 dell-per440-16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:31 dell-per440-16 audit: BPF prog-id=177 op=UNLOAD Feb 4 11:46:31 dell-per440-16 audit: BPF prog-id=176 op=UNLOAD Feb 4 11:46:31 dell-per440-16 audit: BPF prog-id=175 op=UNLOAD Feb 4 11:46:32 dell-per440-16 audit[14457]: AVC avc: denied { create } for pid=14457 comm="locate" anonclass=[io_uring] scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 Feb 4 11:46:33 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-test. For complete SELinux messages run: sealert -l b6f6b484-a62b-4b5f-acc2-b05bd2111083 Feb 4 11:46:33 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-test.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that rpc-virtqemud should be allowed relabelfrom access on the 1-test directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud#012# semodule -X 300 -i my-rpcvirtqemud.pp#012 Feb 4 11:46:34 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:34.081Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:34 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:34.083Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:34 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:34.083Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:35 dell-per440-16 sedispatch[937]: AVC Message regarding setroubleshoot, ignoring message Feb 4 11:46:43 dell-per440-16 systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Deactivated successfully. Feb 4 11:46:43 dell-per440-16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@7 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:43 dell-per440-16 systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Consumed 1.044s CPU time. Feb 4 11:46:43 dell-per440-16 systemd[1]: setroubleshootd.service: Deactivated successfully. Feb 4 11:46:43 dell-per440-16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 4 11:46:44 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:44.083Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:44 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:44.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:44 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:44.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:54 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:54.083Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:54 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:54.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:46:54 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:54.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:47:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:47:04.084Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[0]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[1]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:47:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:47:04.085Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused" Feb 4 11:47:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:47:04.085Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Hi. I also have this bug after upgrading from Fedora 39 to Fedora 40: Unable to open system token /run/libvirt/common/system.token: Permission denied It might be related to https://access.redhat.com/errata/RHBA-2021:4420 , because errata is showing the same error message, but for RHEL8. My journal logs: Feb 18 12:48:15 mckenna.ping.local setroubleshoot[1714]: SELinux is preventing daemon-init from relabelfrom access on the directory 5-maria1.ping.local. For complete SELinux messages run: sealert -l 9d377782-1046-46c4-8e87-fb8ba348d053 Feb 18 12:48:15 mckenna.ping.local setroubleshoot[1714]: SELinux is preventing daemon-init from relabelfrom access on the directory 5-maria1.ping.local. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that daemon-init should be allowed relabelfrom access on the 5-maria1.ping.local directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'daemon-init' --raw | audit2allow -M my-daemoninit # semodule -X 300 -i my-daemoninit.pp Sedismod of this policy: # sedismod my-daemoninit.mod Reading policy... libsepol.policydb_index_others: security: 0 users, 1 roles, 4 types, 0 bools libsepol.policydb_index_others: security: 0 sens, 0 cats libsepol.policydb_index_others: security: 3 classes, 0 rules, 0 cond rules libsepol.policydb_index_others: security: 0 users, 1 roles, 4 types, 0 bools libsepol.policydb_index_others: security: 0 sens, 0 cats libsepol.policydb_index_others: security: 3 classes, 0 rules, 0 cond rules Binary policy module file loaded. Module name: my-daemoninit Module version: 1.0 Policy version: 21 Select a command: 1) display unconditional AVTAB 2) display conditional AVTAB 3) display users 4) display bools 5) display roles 6) display types, attributes, and aliases 7) display role transitions 8) display role allows 9) Display policycon 0) Display initial SIDs a) Display avrule requirements b) Display avrule declarations c) Display policy capabilities l) Link in a module u) Display the unknown handling setting F) Display filename_trans rules v) display the version of policy and/or module f) set output file m) display menu q) quit Command ('m' for menu): 1 unconditional avtab: --- begin avrule block --- decl 1: allow [virtqemud_t] [device_t] : [filesystem] { unmount }; allow [virtqemud_t] [urandom_device_t] : [chr_file] { setattr }; allow [virtqemud_t] [virt_var_run_t] : [dir] { relabelfrom }; Command ('m' for menu): 2 conditional avtab: --- begin avrule block --- decl 1: Command ('m' for menu): 3 Command ('m' for menu): 4 Command ('m' for menu): 5 role: object_r types: Command ('m' for menu): 6 [device_t] [3]: type flags:0 [urandom_device_t] [1]: type flags:0 [virt_var_run_t] [2]: type flags:0 [virtqemud_t] [4]: type flags:0 Command ('m' for menu): 7 role transitions: --- begin avrule block --- decl 1: Command ('m' for menu): 8 role allows: --- begin avrule block --- decl 1: Command ('m' for menu): 9 Sorry, not implemented Command ('m' for menu): 0 Initial SIDs: Command ('m' for menu): a avrule block requirements: --- begin avrule block --- decl 1: commons: <empty> classes: dir { relabelfrom } filesystem { unmount } chr_file { setattr } roles : <empty> types : urandom_device_t virt_var_run_t device_t virtqemud_t users : <empty> bools : <empty> levels : <empty> cats : <empty> Command ('m' for menu): b avrule block declarations: --- begin avrule block --- decl 1: commons: <empty> classes: <empty> roles : <empty> types : <empty> users : <empty> bools : <empty> levels : <empty> cats : <empty> Command ('m' for menu): c policy capabilities: Command ('m' for menu): l Can only link if initial file was a base policy. Command ('m' for menu): u Deny unknown classes and perms Command ('m' for menu): F filename_trans rules: --- begin avrule block --- decl 1: filename transition Command ('m' for menu): v Binary policy module file loaded. Module name: my-daemoninit Module version: 1.0 Policy version: 21 ---------------------------------------------- "restorecon -Rv /var/lib/libvirt" did relabel files, but VM's are still not able to start: # virsh start --domain maria1.ping.local error: Failed to start domain 'maria1.ping.local' error: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied ---------------------------------------------- After switching selinux to permissive mode all VM's are running fine. # virsh list --all Id Name State ----------------------------------- 1 psqlb.ping.local running 2 awx.ping.local running 3 maria1.ping.local running 4 psqla.ping.local running
There are multiple denials in the journal, some of them not related. Can you 1. update to selinux-policy-40.10-1.fc40.noarch or the one from https://dashboard.packit.dev/results/copr-builds/1349099 2. Gather Avc denial, preferably with full auditing enabled? https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
(In reply to Łukasz Posadowski from comment #1) > I also have this bug after upgrading from Fedora 39 to Fedora 40: > Unable to open system token /run/libvirt/common/system.token: Permission > denied > > It might be related to https://access.redhat.com/errata/RHBA-2021:4420 , > because errata is showing the same error message, but for RHEL8. Can you write down specific AVC denials? The fix for the https://bugzilla.redhat.com/show_bug.cgi?id=1966842 bug referred to from the advisory is in Fedora since 3 years ago.
(In reply to Zdenek Pytela from comment #2) > There are multiple denials in the journal, some of them not related. Can you > 1. update to selinux-policy-40.10-1.fc40.noarch or the one from > https://dashboard.packit.dev/results/copr-builds/1349099 > > 2. Gather Avc denial, preferably with full auditing enabled? > https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing Thank You. I will have some time on Monday, or Tuesday and attach more audit logs.
It (In reply to Zdenek Pytela from comment #2) > There are multiple denials in the journal, some of them not related. Can you > 1. update to selinux-policy-40.10-1.fc40.noarch or the one from > https://dashboard.packit.dev/results/copr-builds/1349099 > > 2. Gather Avc denial, preferably with full auditing enabled? > https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing It works for me on: selinux-policy-40.13-1.fc40.noarch libvirt-10.0.0-4.fc41.x86_64 virt-install-4.1.0-5.fc40.noarch qemu-kvm-8.2.0-9.fc41.x86_64 I think it is OK to close this bug.
Confirmed. After adding copr repo https://dashboard.packit.dev/results/copr-builds/1349099 , I have those selinux packages: # rpm -qa | grep 'selinux' libselinux-3.6-4.fc40.x86_64 libselinux-utils-3.6-4.fc40.x86_64 python3-libselinux-3.6-4.fc40.x86_64 smartmontools-selinux-7.4-3.fc40.noarch swtpm-selinux-0.8.1-5.fc40.noarch rpm-plugin-selinux-4.19.1.1-1.fc40.x86_64 passt-selinux-0^20240220.g1e6f92b-1.fc40.noarch nbdkit-selinux-1.37.9-1.fc40.noarch selinux-policy-40.13-1.20240219143814232296.pr2041.11.g7f2deebb0.fc40.noarch selinux-policy-targeted-40.13-1.20240219143814232296.pr2041.11.g7f2deebb0.fc40.noarch # virsh list --all Id Name State ----------------------------------- 1 psqlb.ping.local running 2 awx.ping.local running 3 maria1.ping.local running 4 psqla.ping.local running # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 Thanks.
(In reply to Łukasz Posadowski from comment #6) > Confirmed. After adding copr repo > https://dashboard.packit.dev/results/copr-builds/1349099 , I have those > selinux packages: Spoken too soon. As werid as it sounds, it works sometimes. (-: I still can't find why. My journal for today is on https://wiki.baszarek.pl/magazyn/journal-2262587.gz .
Hitting this problem also... on an F40 pre-release upgraded from F39.
Having the same on f40: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token. Additional Information: Source Context system_u:system_r:virtlogd_t:s0-s0:c0.c1023 Target Context system_u:object_r:virt_var_run_t:s0 Target Objects system.token [ file ] Source virtlogd Source Path virtlogd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.15-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.15-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.8.1-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 20 04:39:30 UTC 2024 x86_64 Alert Count 12 First Seen 2024-02-26 15:30:15 IST Last Seen 2024-03-27 10:11:21 IST Local ID f17b3391-e730-4eda-a575-bd891fb6c51e Raw Audit Messages type=AVC msg=audit(1711527081.142:970): avc: denied { read append } for pid=122194 comm="virtlogd" name="system.token" dev="tmpfs" ino=2506 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=0 Hash: virtlogd,virtlogd_t,virt_var_run_t,file,read,append
Has anyone hit this on a /fresh/ install of Fedora 40, as opposed to an 39->40 upgrade ? I've just deployed a brand new F40 VM, and installed libvirt inside it, rebooted and was able to successfully run a nested VM inside. As was pointed out earlier, long ago this was an SELinux policy bug, but it shouldn't have been a problem for many Fedora releases now. I'm gonig to struggle to diagnose it unless someone can identify a sequence of steps that reliably reproduces the problem
I had the same issue, fixed it as described in https://bugzilla.redhat.com/show_bug.cgi?id=2272971#c1
(In reply to Daniel Berrangé from comment #10) > Has anyone hit this on a /fresh/ install of Fedora 40, as opposed to an > 39->40 upgrade ? I swapped disks and do a fresh Fedora 40 install. I can reproduce the problem. I have: --------------------------------------------------------------- Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-nolife.ping.local. For complete SELinux messages run: sealert -l 05fbadfc-1367-4a1c-89e6-342b8f71292a Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-nolife.ping.local. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rpc-virtqemud should be allowed relabelfrom access on the 1-nolife.ping.local directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud # semodule -X 300 -i my-rpcvirtqemud.pp Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token. For complete SELinux messages run: sealert -l 460c13c2-4944-4e53-b877-8e506c7bb9b9 Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that virtlogd should be allowed read append access on the system.token file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'virtlogd' --raw | audit2allow -M my-virtlogd # semodule -X 300 -i my-virtlogd.pp --------------------------------------------------------------- in journal. My VM is sometimes off after host reboot: root@ftest40virsh:~# virsh list --all Id Name State ------------------------------------ - nolife.ping.local shut off This happens when I am trying to run it: root@ftest40virsh:~# virsh start --domain nolife.ping.local error: Failed to start domain 'nolife.ping.local' error: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied with Apr 08 20:14:02 ftest40virsh.ping.local setroubleshoot[1783]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 2-nolife.ping.local. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rpc-virtqemud should be allowed relabelfrom access on the 2-nolife.ping.local directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud # semodule -X 300 -i my-rpcvirtqemud.pp in journal.
The problem went away for me on F40 pre-release.
On my F40, which was upgraded from F39, I am still having issues with SeLinux enforcing Apr 21 12:46:37 mckenna.ping.local audit[1361]: VIRT_CONTROL pid=1361 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm op=start reason=booted vm="awx.ping.local" uuid=3e661383-2190-4641-8ffe-b96c7465de75 vm-pid=0 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=failed' Apr 21 12:46:37 mckenna.ping.local virtqemud[1361]: internal error: Failed to autostart VM 'awx.ping.local': can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied Apr 21 12:46:38 mckenna.ping.local systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs... Apr 21 12:46:41 mckenna.ping.local systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs. Apr 21 12:46:50 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing daemon-init from relabelfrom access on the file master-key.aes. For complete SELinux messages run: sealert -l ebdc9c9a-21b8-4e0f-883b-21445700dcbd Apr 21 12:46:50 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing daemon-init from relabelfrom access on the file master-key.aes. Apr 21 12:46:50 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token. For complete SELinux messages run: sealert -l 84a89654-338e-422d-a302-5ff21501dac4 Apr 21 12:46:51 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token. If you believe that virtlogd should be allowed read append access on the system.token file by default. I will leave this system intentionally in that state and just disable selinux when not testing for this thread. Maybe some policy upgrade will fix this and we'll know which one did it.
*** Bug 2276834 has been marked as a duplicate of this bug. ***
I am going to close this bz originally created for the system.token file. There is an ongoing effort to resolve the other bzs, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2272971 https://bugzilla.redhat.com/show_bug.cgi?id=2273960 https://bugzilla.redhat.com/show_bug.cgi?id=2245233 It will probably require more than one iteration of builds.