Bug 2262587 - Error when starting a domain: Unable to open system token /run/libvirt/common/system.token: Permission denied
Summary: Error when starting a domain: Unable to open system token /run/libvirt/common...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2276834 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-02-04 03:50 UTC by Han Han
Modified: 2024-04-26 10:40 UTC (History)
14 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-04-26 10:40:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Han Han 2024-02-04 03:50:39 UTC
Versions:
kernel-6.7.1-200.fc39.x86_64
selinux-policy-40.10-1.fc40.noarch
libvirt-10.0.0-3.fc40.x86_64
virt-install-4.1.0-5.fc40.noarch
qemu-kvm-8.2.0-7.fc40.x86_64

Reproducible: Always

Steps to Reproduce:
1. Start a domain by virt-install
# virt-install --transient --install fedora39 -n test --disk none -r 2048 --graphic none
Using fedora39 --location https://download.fedoraproject.org/pub/fedora/linux/releases/39/Everything/x86_64/os

It doesn't work when `setenforce 0`, either.

Starting install...
Retrieving 'vmlinuz'                                                                                                                                                        | 6.8 MB  00:00:00 ... 
Retrieving 'initrd.img'                                                                                                                                                     |  97 MB  00:00:02 ... 
ERROR    can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start test
otherwise, please restart your installation



Actual Results:  
As above

Expected Results:  
No error

AVC denial error in /var/log/message:
Feb  4 11:46:01 dell-per440-16 systemd[8873]: Started tmux-spawn-7cbb26c8-44b4-41ad-882d-dc140252a6c5.scope - tmux child pane 14071 launched by process 8922.
Feb  4 11:46:01 dell-per440-16 audit: BPF prog-id=175 op=LOAD
Feb  4 11:46:01 dell-per440-16 audit: BPF prog-id=176 op=LOAD
Feb  4 11:46:01 dell-per440-16 audit: BPF prog-id=177 op=LOAD
Feb  4 11:46:01 dell-per440-16 systemd[1]: Starting systemd-hostnamed.service - Hostname Service...
Feb  4 11:46:01 dell-per440-16 systemd[1]: Started systemd-hostnamed.service - Hostname Service.
Feb  4 11:46:01 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:04.080Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[0]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[1]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:04.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:04.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:14 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:14.080Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:14 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:14.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:14 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:14.081Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:14 dell-per440-16 systemd[1]: Starting virtqemud.service - libvirt QEMU daemon...
Feb  4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: info : libvirt version: 10.0.0, package: 3.fc40 (Fedora Project, 2024-01-25-04:04:02, )
Feb  4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: info : hostname: dell-per440-16.lab.eng.pek2.redhat.com
Feb  4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: debug : virLogParseOutputs:1638 : outputs=1:file:/var/log/libvirt/virtqemud.log
Feb  4 11:46:14 dell-per440-16 virtqemud[14100]: 2024-02-04 03:46:14.500+0000: 14100: debug : virLogParseOutput:1485 : output=1:file:/var/log/libvirt/virtqemud.log
Feb  4 11:46:14 dell-per440-16 systemd[1]: Started virtqemud.service - libvirt QEMU daemon.
Feb  4 11:46:14 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtqemud comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:24 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:24.081Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:24 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:24.082Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:24 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:24.082Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:26 dell-per440-16 audit[14100]: AVC avc:  denied  { execute } for  pid=14100 comm="rpc-virtqemud" name="swtpm" dev="sda3" ino=21893807 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1
Feb  4 11:46:26 dell-per440-16 audit[14344]: AVC avc:  denied  { execute_no_trans } for  pid=14344 comm="swtpm_setup" path="/usr/bin/swtpm" dev="sda3" ino=21893807 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1
Feb  4 11:46:26 dell-per440-16 audit[14344]: AVC avc:  denied  { map } for  pid=14344 comm="swtpm" path="/usr/bin/swtpm" dev="sda3" ino=21893807 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1
Feb  4 11:46:26 dell-per440-16 systemd[1]: Starting virtstoraged.service - libvirt storage daemon...
Feb  4 11:46:26 dell-per440-16 systemd[1]: Started virtstoraged.service - libvirt storage daemon.
Feb  4 11:46:26 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtstoraged comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:28 dell-per440-16 systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Feb  4 11:46:28 dell-per440-16 systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Feb  4 11:46:28 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:28 dell-per440-16 audit[14368]: AVC avc:  denied  { create } for  pid=14368 comm="locate" anonclass=[io_uring] scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0
Feb  4 11:46:28 dell-per440-16 systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged.
Feb  4 11:46:28 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@7 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:29 dell-per440-16 audit[14100]: VIRT_MACHINE_ID pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d vm-ctx=system_u:system_r:svirt_t:s0:c224,c785 img-ctx=system_u:object_r:svirt_image_t:s0:c224,c785 model=selinux exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:29 dell-per440-16 audit[14100]: VIRT_MACHINE_ID pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d vm-ctx=+107:+107 img-ctx=+107:+107 model=dac exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: Found left-over process 12849 (dnsmasq) in control group while starting unit. Ignoring.
Feb  4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Feb  4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: Found left-over process 12850 (dnsmasq) in control group while starting unit. Ignoring.
Feb  4 11:46:29 dell-per440-16 systemd[1]: virtnetworkd.service: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Feb  4 11:46:29 dell-per440-16 systemd[1]: Starting virtnetworkd.service - libvirt network daemon...
Feb  4 11:46:29 dell-per440-16 systemd[1]: Started virtnetworkd.service - libvirt network daemon.
Feb  4 11:46:29 dell-per440-16 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtnetworkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:29 dell-per440-16 audit[14407]: NETFILTER_CFG table=mangle:49 family=2 entries=1 op=nft_unregister_rule pid=14407 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14408]: NETFILTER_CFG table=nat:50 family=2 entries=1 op=nft_unregister_rule pid=14408 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14409]: NETFILTER_CFG table=nat:51 family=2 entries=1 op=nft_unregister_rule pid=14409 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14411]: NETFILTER_CFG table=nat:52 family=2 entries=1 op=nft_unregister_rule pid=14411 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14412]: NETFILTER_CFG table=nat:53 family=2 entries=1 op=nft_unregister_rule pid=14412 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14413]: NETFILTER_CFG table=nat:54 family=2 entries=1 op=nft_unregister_rule pid=14413 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14414]: NETFILTER_CFG table=filter:55 family=2 entries=1 op=nft_unregister_rule pid=14414 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14415]: NETFILTER_CFG table=filter:56 family=2 entries=1 op=nft_unregister_rule pid=14415 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from execute access on the file /usr/bin/swtpm. For complete SELinux messages run: sealert -l 3daa71c5-0366-4fce-95fa-ef47385d4aa9
Feb  4 11:46:29 dell-per440-16 audit[14416]: NETFILTER_CFG table=filter:57 family=2 entries=1 op=nft_unregister_rule pid=14416 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14417]: NETFILTER_CFG table=filter:58 family=2 entries=1 op=nft_unregister_rule pid=14417 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from execute access on the file /usr/bin/swtpm.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that rpc-virtqemud should be allowed execute access on the swtpm file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud#012# semodule -X 300 -i my-rpcvirtqemud.pp#012
Feb  4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm_setup from execute_no_trans access on the file /usr/bin/swtpm. For complete SELinux messages run: sealert -l d869c2c3-29e3-46f7-84c3-c01fd2d4097b
Feb  4 11:46:29 dell-per440-16 audit[14418]: NETFILTER_CFG table=filter:59 family=2 entries=1 op=nft_unregister_rule pid=14418 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14419]: NETFILTER_CFG table=filter:60 family=2 entries=1 op=nft_unregister_rule pid=14419 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm_setup from execute_no_trans access on the file /usr/bin/swtpm.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that swtpm_setup should be allowed execute_no_trans access on the swtpm file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'swtpm_setup' --raw | audit2allow -M my-swtpmsetup#012# semodule -X 300 -i my-swtpmsetup.pp#012
Feb  4 11:46:29 dell-per440-16 audit[14420]: NETFILTER_CFG table=filter:61 family=2 entries=1 op=nft_unregister_rule pid=14420 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm from map access on the file /usr/bin/swtpm. For complete SELinux messages run: sealert -l 6c6b7743-ae62-4c2b-9896-37f7422dd6b8
Feb  4 11:46:29 dell-per440-16 audit[14421]: NETFILTER_CFG table=filter:62 family=2 entries=1 op=nft_unregister_rule pid=14421 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 setroubleshoot[14366]: SELinux is preventing swtpm from map access on the file /usr/bin/swtpm.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow domain to can mmap files#012Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.#012#012Do#012setsebool -P domain_can_mmap_files 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that swtpm should be allowed map access on the swtpm file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'swtpm' --raw | audit2allow -M my-swtpm#012# semodule -X 300 -i my-swtpm.pp#012
Feb  4 11:46:29 dell-per440-16 audit[14423]: NETFILTER_CFG table=filter:63 family=2 entries=1 op=nft_unregister_rule pid=14423 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:29 dell-per440-16 audit[14424]: NETFILTER_CFG table=filter:64 family=2 entries=1 op=nft_unregister_rule pid=14424 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14425]: NETFILTER_CFG table=filter:65 family=2 entries=1 op=nft_unregister_rule pid=14425 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 sedispatch[937]: AVC Message regarding setroubleshoot, ignoring message
Feb  4 11:46:30 dell-per440-16 audit[14426]: NETFILTER_CFG table=filter:66 family=2 entries=1 op=nft_unregister_rule pid=14426 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14427]: NETFILTER_CFG table=filter:67 family=2 entries=1 op=nft_unregister_rule pid=14427 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14428]: NETFILTER_CFG table=filter:68 family=2 entries=1 op=nft_register_rule pid=14428 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14429]: NETFILTER_CFG table=filter:69 family=2 entries=1 op=nft_register_rule pid=14429 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14430]: NETFILTER_CFG table=filter:70 family=2 entries=1 op=nft_register_rule pid=14430 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14431]: NETFILTER_CFG table=filter:71 family=2 entries=1 op=nft_register_rule pid=14431 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14432]: NETFILTER_CFG table=filter:72 family=2 entries=1 op=nft_register_rule pid=14432 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14433]: NETFILTER_CFG table=filter:73 family=2 entries=1 op=nft_register_rule pid=14433 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14434]: NETFILTER_CFG table=filter:74 family=2 entries=1 op=nft_register_rule pid=14434 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14435]: NETFILTER_CFG table=filter:75 family=2 entries=1 op=nft_register_rule pid=14435 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14436]: NETFILTER_CFG table=filter:76 family=2 entries=1 op=nft_register_rule pid=14436 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14437]: NETFILTER_CFG table=filter:77 family=2 entries=1 op=nft_register_rule pid=14437 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14438]: NETFILTER_CFG table=filter:78 family=2 entries=1 op=nft_register_rule pid=14438 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14439]: NETFILTER_CFG table=filter:79 family=2 entries=1 op=nft_register_rule pid=14439 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14440]: NETFILTER_CFG table=filter:80 family=2 entries=1 op=nft_register_rule pid=14440 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14441]: NETFILTER_CFG table=nat:81 family=2 entries=1 op=nft_register_rule pid=14441 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14442]: NETFILTER_CFG table=nat:82 family=2 entries=1 op=nft_register_rule pid=14442 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14443]: NETFILTER_CFG table=nat:83 family=2 entries=1 op=nft_register_rule pid=14443 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14444]: NETFILTER_CFG table=nat:84 family=2 entries=1 op=nft_register_rule pid=14444 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14445]: NETFILTER_CFG table=nat:85 family=2 entries=1 op=nft_register_rule pid=14445 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 audit[14446]: NETFILTER_CFG table=mangle:86 family=2 entries=1 op=nft_register_rule pid=14446 subj=system_u:system_r:iptables_t:s0 comm="iptables"
Feb  4 11:46:30 dell-per440-16 dnsmasq[12849]: read /etc/hosts - 8 names
Feb  4 11:46:30 dell-per440-16 dnsmasq[12849]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Feb  4 11:46:30 dell-per440-16 dnsmasq-dhcp[12849]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Feb  4 11:46:30 dell-per440-16 audit[14449]: AVC avc:  denied  { relabelfrom } for  pid=14449 comm="rpc-virtqemud" name="1-test" dev="tmpfs" ino=2458 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1
Feb  4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=net reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-net="?" new-net="52:54:00:f8:3b:5f" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=chardev reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-chardev="?" new-chardev="/run/libvirt/qemu/channel/1-test/org.qemu.guest_agent.0" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=rng reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-rng="?" new-rng="/dev/urandom" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=mem reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-mem=0 new-mem=2097152 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:30 dell-per440-16 audit[14100]: VIRT_RESOURCE pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=vcpu reason=start vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d old-vcpu=0 new-vcpu=2 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:30 dell-per440-16 audit[14100]: VIRT_CONTROL pid=14100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm op=start reason=booted vm="test" uuid=1d22026a-8d7f-4894-9e3e-a92f78f41d0d vm-pid=0 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=failed'
Feb  4 11:46:31 dell-per440-16 systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Feb  4 11:46:31 dell-per440-16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:31 dell-per440-16 audit: BPF prog-id=177 op=UNLOAD
Feb  4 11:46:31 dell-per440-16 audit: BPF prog-id=176 op=UNLOAD
Feb  4 11:46:31 dell-per440-16 audit: BPF prog-id=175 op=UNLOAD
Feb  4 11:46:32 dell-per440-16 audit[14457]: AVC avc:  denied  { create } for  pid=14457 comm="locate" anonclass=[io_uring] scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0
Feb  4 11:46:33 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-test. For complete SELinux messages run: sealert -l b6f6b484-a62b-4b5f-acc2-b05bd2111083
Feb  4 11:46:33 dell-per440-16 setroubleshoot[14366]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-test.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that rpc-virtqemud should be allowed relabelfrom access on the 1-test directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud#012# semodule -X 300 -i my-rpcvirtqemud.pp#012
Feb  4 11:46:34 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:34.081Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:34 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:34.083Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:34 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:34.083Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:35 dell-per440-16 sedispatch[937]: AVC Message regarding setroubleshoot, ignoring message
Feb  4 11:46:43 dell-per440-16 systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Deactivated successfully.
Feb  4 11:46:43 dell-per440-16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@7 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:43 dell-per440-16 systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged: Consumed 1.044s CPU time.
Feb  4 11:46:43 dell-per440-16 systemd[1]: setroubleshootd.service: Deactivated successfully.
Feb  4 11:46:43 dell-per440-16 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  4 11:46:44 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:44.083Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:44 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:44.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:44 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:44.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:54 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:46:54.083Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[0]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[1]: notify retry canceled after 7 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:54 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:54.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:46:54 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:46:54.084Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:47:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=error ts=2024-02-04T03:47:04.084Z caller=dispatch.go:354 component=dispatcher msg="Notify for alerts failed" num_alerts=2 err="ceph-dashboard/webhook[0]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused; ceph-dashboard/webhook[1]: notify retry canceled after 8 attempts: Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:47:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:47:04.085Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[0] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"
Feb  4 11:47:04 dell-per440-16 ceph-1100716e-1bd6-11ee-995b-2cea7f7a0e59-alertmanager-dell-per440-16[2314]: level=warn ts=2024-02-04T03:47:04.085Z caller=notify.go:724 component=dispatcher receiver=ceph-dashboard integration=webhook[1] msg="Notify attempt failed, will retry later" attempts=1 err="Post \"https://host.containers.internal:8443/api/prometheus_receiver\": dial tcp 10.73.114.79:8443: connect: connection refused"

Comment 1 Łukasz Posadowski 2024-02-18 12:29:51 UTC
Hi.

I also have this bug after upgrading from Fedora 39 to Fedora 40:
Unable to open system token /run/libvirt/common/system.token: Permission denied

It might be related to https://access.redhat.com/errata/RHBA-2021:4420 , because errata is showing the same error message, but for RHEL8.

My journal logs:

Feb 18 12:48:15 mckenna.ping.local setroubleshoot[1714]: SELinux is preventing daemon-init from relabelfrom access on the directory 5-maria1.ping.local. For complete SELinux messages run: sealert -l 9d377782-1046-46c4-8e87-fb8ba348d053
Feb 18 12:48:15 mckenna.ping.local setroubleshoot[1714]: SELinux is preventing daemon-init from relabelfrom access on the directory 5-maria1.ping.local.
                                                         
                                                         *****  Plugin catchall (100. confidence) suggests   **************************
                                                         
                                                         If you believe that daemon-init should be allowed relabelfrom access on the 5-maria1.ping.local directory by default.
                                                         Then you should report this as a bug.
                                                         You can generate a local policy module to allow this access.
                                                         Do
                                                         allow this access for now by executing:
                                                         # ausearch -c 'daemon-init' --raw | audit2allow -M my-daemoninit
                                                         # semodule -X 300 -i my-daemoninit.pp


Sedismod of this policy:

# sedismod my-daemoninit.mod 
Reading policy...
libsepol.policydb_index_others: security:  0 users, 1 roles, 4 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security:  3 classes, 0 rules, 0 cond rules
libsepol.policydb_index_others: security:  0 users, 1 roles, 4 types, 0 bools
libsepol.policydb_index_others: security: 0 sens, 0 cats
libsepol.policydb_index_others: security:  3 classes, 0 rules, 0 cond rules
Binary policy module file loaded.
Module name: my-daemoninit
Module version: 1.0
Policy version: 21


Select a command:
1) display unconditional AVTAB
2) display conditional AVTAB
3) display users
4) display bools
5) display roles
6) display types, attributes, and aliases
7) display role transitions
8) display role allows
9) Display policycon
0) Display initial SIDs

a) Display avrule requirements
b) Display avrule declarations
c) Display policy capabilities
l) Link in a module
u) Display the unknown handling setting
F) Display filename_trans rules
v) display the version of policy and/or module

f) set output file
m) display menu
q) quit

Command ('m' for menu):  1
unconditional avtab:
--- begin avrule block ---
decl 1:
  allow  [virtqemud_t]  [device_t] : [filesystem] { unmount };
  allow  [virtqemud_t]  [urandom_device_t] : [chr_file] { setattr };
  allow  [virtqemud_t]  [virt_var_run_t] : [dir] { relabelfrom };

Command ('m' for menu):  2
conditional avtab:
--- begin avrule block ---
decl 1:

Command ('m' for menu):  3

Command ('m' for menu):  4

Command ('m' for menu):  5
role: object_r types:  

Command ('m' for menu):  6
 [device_t] [3]: type flags:0
 [urandom_device_t] [1]: type flags:0
 [virt_var_run_t] [2]: type flags:0
 [virtqemud_t] [4]: type flags:0

Command ('m' for menu):  7
role transitions:
--- begin avrule block ---
decl 1:

Command ('m' for menu):  8
role allows:
--- begin avrule block ---
decl 1:

Command ('m' for menu):  9
Sorry, not implemented

Command ('m' for menu):  0
Initial SIDs:

Command ('m' for menu):  a
avrule block requirements:
--- begin avrule block ---
decl 1:
commons: <empty>
classes: dir { relabelfrom } filesystem { unmount } chr_file { setattr }
roles  : <empty>
types  : urandom_device_t virt_var_run_t device_t virtqemud_t
users  : <empty>
bools  : <empty>
levels : <empty>
cats   : <empty>

Command ('m' for menu):  b
avrule block declarations:
--- begin avrule block ---
decl 1:
commons: <empty>
classes: <empty>
roles  : <empty>
types  : <empty>
users  : <empty>
bools  : <empty>
levels : <empty>
cats   : <empty>

Command ('m' for menu):  c
policy capabilities:

Command ('m' for menu):  l
Can only link if initial file was a base policy.

Command ('m' for menu):  u
Deny unknown classes and perms

Command ('m' for menu):  F
filename_trans rules:
--- begin avrule block ---
decl 1:
filename transition
Command ('m' for menu):  v
Binary policy module file loaded.
Module name: my-daemoninit
Module version: 1.0
Policy version: 21


----------------------------------------------

"restorecon -Rv /var/lib/libvirt" did relabel files, but VM's are still not able to start:

# virsh start --domain maria1.ping.local 
error: Failed to start domain 'maria1.ping.local'
error: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied

----------------------------------------------

After switching selinux to permissive mode all VM's are running fine. 

# virsh list --all
 Id   Name                State
-----------------------------------
 1    psqlb.ping.local    running
 2    awx.ping.local      running
 3    maria1.ping.local   running
 4    psqla.ping.local    running

Comment 2 Zdenek Pytela 2024-02-21 11:46:08 UTC
There are multiple denials in the journal, some of them not related. Can you
1. update to selinux-policy-40.10-1.fc40.noarch or the one from
https://dashboard.packit.dev/results/copr-builds/1349099

2. Gather Avc denial, preferably with full auditing enabled?
https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Comment 3 Zdenek Pytela 2024-02-21 11:51:42 UTC
(In reply to Łukasz Posadowski from comment #1)
> I also have this bug after upgrading from Fedora 39 to Fedora 40:
> Unable to open system token /run/libvirt/common/system.token: Permission
> denied
> 
> It might be related to https://access.redhat.com/errata/RHBA-2021:4420 ,
> because errata is showing the same error message, but for RHEL8.
Can you write down specific AVC denials? The fix for the https://bugzilla.redhat.com/show_bug.cgi?id=1966842 bug referred to from the advisory is in Fedora since 3 years ago.

Comment 4 Łukasz Posadowski 2024-02-24 08:41:22 UTC
(In reply to Zdenek Pytela from comment #2)
> There are multiple denials in the journal, some of them not related. Can you
> 1. update to selinux-policy-40.10-1.fc40.noarch or the one from
> https://dashboard.packit.dev/results/copr-builds/1349099
> 
> 2. Gather Avc denial, preferably with full auditing enabled?
> https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Thank You. I will have some time on Monday, or Tuesday and attach more audit logs.

Comment 5 Han Han 2024-03-01 09:05:04 UTC
It (In reply to Zdenek Pytela from comment #2)
> There are multiple denials in the journal, some of them not related. Can you
> 1. update to selinux-policy-40.10-1.fc40.noarch or the one from
> https://dashboard.packit.dev/results/copr-builds/1349099
> 
> 2. Gather Avc denial, preferably with full auditing enabled?
> https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

It works for me on:
selinux-policy-40.13-1.fc40.noarch
libvirt-10.0.0-4.fc41.x86_64
virt-install-4.1.0-5.fc40.noarch
qemu-kvm-8.2.0-9.fc41.x86_64


I think it is OK to close this bug.

Comment 6 Łukasz Posadowski 2024-03-02 09:29:08 UTC
Confirmed. After adding copr repo https://dashboard.packit.dev/results/copr-builds/1349099 , I have those selinux packages:

# rpm -qa | grep 'selinux'
libselinux-3.6-4.fc40.x86_64
libselinux-utils-3.6-4.fc40.x86_64
python3-libselinux-3.6-4.fc40.x86_64
smartmontools-selinux-7.4-3.fc40.noarch
swtpm-selinux-0.8.1-5.fc40.noarch
rpm-plugin-selinux-4.19.1.1-1.fc40.x86_64
passt-selinux-0^20240220.g1e6f92b-1.fc40.noarch
nbdkit-selinux-1.37.9-1.fc40.noarch
selinux-policy-40.13-1.20240219143814232296.pr2041.11.g7f2deebb0.fc40.noarch
selinux-policy-targeted-40.13-1.20240219143814232296.pr2041.11.g7f2deebb0.fc40.noarch

# virsh list --all
 Id   Name                State
-----------------------------------
 1    psqlb.ping.local    running
 2    awx.ping.local      running
 3    maria1.ping.local   running
 4    psqla.ping.local    running

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33



Thanks.

Comment 7 Łukasz Posadowski 2024-03-02 15:03:33 UTC
(In reply to Łukasz Posadowski from comment #6)
> Confirmed. After adding copr repo
> https://dashboard.packit.dev/results/copr-builds/1349099 , I have those
> selinux packages:

Spoken too soon. As werid as it sounds, it works sometimes. (-: I still can't find why. My journal for today is on https://wiki.baszarek.pl/magazyn/journal-2262587.gz .

Comment 8 Scott Dowdle 2024-03-06 18:43:57 UTC
Hitting this problem also... on an F40 pre-release upgraded from F39.

Comment 9 Andrey Motoshkov 2024-03-27 08:21:53 UTC
Having the same on f40:
SELinux is preventing virtlogd from 'read, append' accesses on the file system.token.
Additional Information:
Source Context                system_u:system_r:virtlogd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:virt_var_run_t:s0
Target Objects                system.token [ file ]
Source                        virtlogd
Source Path                   virtlogd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.15-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.15-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.8.1-300.fc40.x86_64
                              #1 SMP PREEMPT_DYNAMIC Wed Mar 20 04:39:30 UTC
                              2024 x86_64
Alert Count                   12
First Seen                    2024-02-26 15:30:15 IST
Last Seen                     2024-03-27 10:11:21 IST
Local ID                      f17b3391-e730-4eda-a575-bd891fb6c51e

Raw Audit Messages
type=AVC msg=audit(1711527081.142:970): avc:  denied  { read append } for  pid=122194 comm="virtlogd" name="system.token" dev="tmpfs" ino=2506 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=0


Hash: virtlogd,virtlogd_t,virt_var_run_t,file,read,append

Comment 10 Daniel Berrangé 2024-03-27 12:12:37 UTC
Has anyone hit this on a /fresh/ install of Fedora 40, as opposed to an 39->40 upgrade ?

I've just deployed a brand new F40 VM, and installed libvirt inside it, rebooted and was able to successfully run a nested VM inside.

As was pointed out earlier, long ago this was an SELinux policy bug, but it shouldn't have been a problem for many Fedora releases now.

I'm gonig to struggle to diagnose it unless someone can identify a sequence of steps that reliably reproduces the problem

Comment 11 Georg Müller 2024-04-05 11:25:10 UTC
I had the same issue, fixed it as described in https://bugzilla.redhat.com/show_bug.cgi?id=2272971#c1

Comment 12 Łukasz Posadowski 2024-04-08 18:16:02 UTC
(In reply to Daniel Berrangé from comment #10)
> Has anyone hit this on a /fresh/ install of Fedora 40, as opposed to an
> 39->40 upgrade ?

I swapped disks and do a fresh Fedora 40 install. I can reproduce the problem.

I have:

---------------------------------------------------------------
Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-nolife.ping.local. For complete SELinux messages run: sealert -l 05fbadfc-1367-4a1c-89e6-342b8f71292a
Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 1-nolife.ping.local.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************
                                                              
                                                              If you believe that rpc-virtqemud should be allowed relabelfrom access on the 1-nolife.ping.local directory by default.
                                                              Then you should report this as a bug.
                                                              You can generate a local policy module to allow this access.
                                                              Do
                                                              allow this access for now by executing:
                                                              # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
                                                              # semodule -X 300 -i my-rpcvirtqemud.pp
                                                              
Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token. For complete SELinux messages run: sealert -l 460c13c2-4944-4e53-b877-8e506c7bb9b9
Apr 08 20:09:13 ftest40virsh.ping.local setroubleshoot[1460]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************
                                                              
                                                              If you believe that virtlogd should be allowed read append access on the system.token file by default.
                                                              Then you should report this as a bug.
                                                              You can generate a local policy module to allow this access.
                                                              Do
                                                              allow this access for now by executing:
                                                              # ausearch -c 'virtlogd' --raw | audit2allow -M my-virtlogd
                                                              # semodule -X 300 -i my-virtlogd.pp
---------------------------------------------------------------
in journal.


My VM is sometimes off after host reboot:
root@ftest40virsh:~# virsh list --all
 Id   Name                State
------------------------------------
 -    nolife.ping.local   shut off

This happens when I am trying to run it:

root@ftest40virsh:~# virsh start --domain nolife.ping.local 
error: Failed to start domain 'nolife.ping.local'
error: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied

with 

Apr 08 20:14:02 ftest40virsh.ping.local setroubleshoot[1783]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 2-nolife.ping.local.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************
                                                              
                                                              If you believe that rpc-virtqemud should be allowed relabelfrom access on the 2-nolife.ping.local directory by default.
                                                              Then you should report this as a bug.
                                                              You can generate a local policy module to allow this access.
                                                              Do
                                                              allow this access for now by executing:
                                                              # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
                                                              # semodule -X 300 -i my-rpcvirtqemud.pp
                                                              
in journal.

Comment 13 Scott Dowdle 2024-04-08 18:26:09 UTC
The problem went away for me on F40 pre-release.

Comment 14 Łukasz Posadowski 2024-04-21 11:16:13 UTC
On my F40, which was upgraded from F39, I am still having issues with SeLinux enforcing 

Apr 21 12:46:37 mckenna.ping.local audit[1361]: VIRT_CONTROL pid=1361 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm op=start reason=booted vm="awx.ping.local" uuid=3e661383-2190-4641-8ffe-b96c7465de75 vm-pid=0 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=failed'
Apr 21 12:46:37 mckenna.ping.local virtqemud[1361]: internal error: Failed to autostart VM 'awx.ping.local': can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied
Apr 21 12:46:38 mckenna.ping.local systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Apr 21 12:46:41 mckenna.ping.local systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Apr 21 12:46:50 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing daemon-init from relabelfrom access on the file master-key.aes. For complete SELinux messages run: sealert -l ebdc9c9a-21b8-4e0f-883b-21445700dcbd
Apr 21 12:46:50 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing daemon-init from relabelfrom access on the file master-key.aes.
Apr 21 12:46:50 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token. For complete SELinux messages run: sealert -l 84a89654-338e-422d-a302-5ff21501dac4
Apr 21 12:46:51 mckenna.ping.local setroubleshoot[1565]: SELinux is preventing virtlogd from 'read, append' accesses on the file system.token.
                                                         If you believe that virtlogd should be allowed read append access on the system.token file by default.


I will leave this system intentionally in that state and just disable selinux when not testing for this thread. Maybe some policy upgrade will fix this and we'll know which one did it.

Comment 15 Han Han 2024-04-24 08:53:29 UTC
*** Bug 2276834 has been marked as a duplicate of this bug. ***

Comment 16 Zdenek Pytela 2024-04-25 12:57:06 UTC
I am going to close this bz originally created for the system.token file.

There is an ongoing effort to resolve the other bzs, e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=2272971
https://bugzilla.redhat.com/show_bug.cgi?id=2273960
https://bugzilla.redhat.com/show_bug.cgi?id=2245233

It will probably require more than one iteration of builds.


Note You need to log in before you can comment on or make changes to this bug.