When trying to create a new VM (I have default storage pool at /mnt/ssd/libvirt/images/) process fails and selinux alert pops up. Kernel: 6.8.0-0.rc7.55.fc40.1.x86_64 SELinux Policy RPM: selinux-policy-targeted-40.13-1.fc40.noarch Reproducible: Always Steps to Reproduce: 1. Try to create new Windows 11 VM Actual Results: Error from qemu: Unable to complete install: 'can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install installer.start_install(guest, meter=meter) File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install domain = self._create_guest( ^^^^^^^^^^^^^^^^^^^ File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest domain = self.conn.createXML(initial_xml or final_xml, 0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.12/site-packages/libvirt.py", line 4529, in createXML raise libvirtError('virDomainCreateXML() failed') libvirt.libvirtError: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied Raw Audit Messages: type=AVC msg=audit(1709640500.933:805): avc: denied { create } for pid=76920 comm="qemu-img" name="Windows.qcow2" scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=file permissive=1 Expected Results: New image created successfully System was upgraded from F39, it was working on F39 installation, existing machines are working as expected.
Hi, I don't quite understand. Firstly, the permission is allowed: # sesearch -A -s virtstoraged_t -t mnt_t -c file -p create allow domain mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; Secondly, the system is in permissive mode, so SELinux should not block any syscall: permissive=1 Thirdly, "Unable to open system token /run/libvirt/common/system.token" refers to a completely different problem. "Permission denied" can also mean a non-SELinux related one. Can you clarify this?
1) Same command (# sesearch -A -s virtstoraged_t -t mnt_t -c file -p create) returns nothing for me 2) System is not in permissive mode. This was copied from sealert, however: $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 3) There are some other errors in selinux occuring after this (reported) one, going on over the next few minutes after trying to create new vm.
I am sorry for the misleading statements: It actually is the virtstoraged_t domain which is in permissive mode, while the system is enforcing. The rule for mnt_t on my system was in a separate module, so is not present in Fedora. Anyway I don't think some rule needs to be added to selinux-policy. The resolution depends on which filesystem is on the volume: - label the files and directories if the filesystem knows extended attributes - mount the volume with one particular label - create a local policy module which fits your use case
So, I'm trying this morning again to see what's happening and there is a chain of sealerts right when I'm opening virt-manager even without doing anything else: Raw Audit Messages type=AVC msg=audit(1709716906.491:276): avc: denied { getattr } for pid=1556 comm="rpc-virtqemud" name="/" dev="nvme0n1p1" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Raw Audit Messages type=AVC msg=audit(1709716895.114:272): avc: denied { execute } for pid=1556 comm="rpc-virtqemud" name="swtpm" dev="nvme1n1p3" ino=18831364 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Raw Audit Messages type=AVC msg=audit(1709716895.118:273): avc: denied { execute_no_trans } for pid=6003 comm="swtpm_setup" path="/usr/bin/swtpm" dev="nvme1n1p3" ino=18831364 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Raw Audit Messages type=AVC msg=audit(1709716895.118:274): avc: denied { map } for pid=6003 comm="swtpm" path="/usr/bin/swtpm" dev="nvme1n1p3" ino=18831364 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Probably the failure to create VM at the end of the wizard is just on top of those denials. Since everything was working fine before the upgrade, I would consider it as a regression since F39.
*** Bug 2270669 has been marked as a duplicate of this bug. ***
This message is a reminder that Fedora Linux 40 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '40'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 40 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.