When trying to create a new VM (I have default storage pool at /mnt/ssd/libvirt/images/) process fails and selinux alert pops up. Kernel: 6.8.0-0.rc7.55.fc40.1.x86_64 SELinux Policy RPM: selinux-policy-targeted-40.13-1.fc40.noarch Reproducible: Always Steps to Reproduce: 1. Try to create new Windows 11 VM Actual Results: Error from qemu: Unable to complete install: 'can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install installer.start_install(guest, meter=meter) File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install domain = self._create_guest( ^^^^^^^^^^^^^^^^^^^ File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest domain = self.conn.createXML(initial_xml or final_xml, 0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.12/site-packages/libvirt.py", line 4529, in createXML raise libvirtError('virDomainCreateXML() failed') libvirt.libvirtError: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied Raw Audit Messages: type=AVC msg=audit(1709640500.933:805): avc: denied { create } for pid=76920 comm="qemu-img" name="Windows.qcow2" scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=file permissive=1 Expected Results: New image created successfully System was upgraded from F39, it was working on F39 installation, existing machines are working as expected.
Hi, I don't quite understand. Firstly, the permission is allowed: # sesearch -A -s virtstoraged_t -t mnt_t -c file -p create allow domain mnt_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; Secondly, the system is in permissive mode, so SELinux should not block any syscall: permissive=1 Thirdly, "Unable to open system token /run/libvirt/common/system.token" refers to a completely different problem. "Permission denied" can also mean a non-SELinux related one. Can you clarify this?
1) Same command (# sesearch -A -s virtstoraged_t -t mnt_t -c file -p create) returns nothing for me 2) System is not in permissive mode. This was copied from sealert, however: $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 3) There are some other errors in selinux occuring after this (reported) one, going on over the next few minutes after trying to create new vm.
I am sorry for the misleading statements: It actually is the virtstoraged_t domain which is in permissive mode, while the system is enforcing. The rule for mnt_t on my system was in a separate module, so is not present in Fedora. Anyway I don't think some rule needs to be added to selinux-policy. The resolution depends on which filesystem is on the volume: - label the files and directories if the filesystem knows extended attributes - mount the volume with one particular label - create a local policy module which fits your use case
So, I'm trying this morning again to see what's happening and there is a chain of sealerts right when I'm opening virt-manager even without doing anything else: Raw Audit Messages type=AVC msg=audit(1709716906.491:276): avc: denied { getattr } for pid=1556 comm="rpc-virtqemud" name="/" dev="nvme0n1p1" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Raw Audit Messages type=AVC msg=audit(1709716895.114:272): avc: denied { execute } for pid=1556 comm="rpc-virtqemud" name="swtpm" dev="nvme1n1p3" ino=18831364 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Raw Audit Messages type=AVC msg=audit(1709716895.118:273): avc: denied { execute_no_trans } for pid=6003 comm="swtpm_setup" path="/usr/bin/swtpm" dev="nvme1n1p3" ino=18831364 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Raw Audit Messages type=AVC msg=audit(1709716895.118:274): avc: denied { map } for pid=6003 comm="swtpm" path="/usr/bin/swtpm" dev="nvme1n1p3" ino=18831364 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 Probably the failure to create VM at the end of the wizard is just on top of those denials. Since everything was working fine before the upgrade, I would consider it as a regression since F39.
*** Bug 2270669 has been marked as a duplicate of this bug. ***