Bug 2272971 - Error starting domain: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permiso denegado
Summary: Error starting domain: can't connect to virtlogd: Unable to open system token...
Keywords:
Status: CLOSED COMPLETED
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 40
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: https://discussion.fedoraproject.org...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-04-03 13:56 UTC by Héctor Louzao
Modified: 2024-04-30 15:22 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-04-30 15:22:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Héctor Louzao 2024-04-03 13:56:50 UTC
Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
    ret = fn(self, *args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/virt-manager/virtManager/object/domain.py", line 1402, in startup
    self._backend.create()
  File "/usr/lib64/python3.12/site-packages/libvirt.py", line 1379, in create
    raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permiso denegado


Reproducible: Always

Steps to Reproduce:
1. start virt-manager
2. right-click under the VM you would like to start
3. error
Actual Results:  
Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
    ret = fn(self, *args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/virt-manager/virtManager/object/domain.py", line 1402, in startup
    self._backend.create()
  File "/usr/lib64/python3.12/site-packages/libvirt.py", line 1379, in create
    raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permiso denegado

Expected Results:  
start the VM

box updated from 39 to 40 a few days ago

var/log/audit/audit.log | grep virtlogd

type=AVC msg=audit(1712151268.607:647): avc:  denied  { read append } for  pid=41252 comm="virtlogd" name="system.token" dev="tmpfs" ino=2216 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=0

Comment 1 Georg Müller 2024-04-05 11:21:52 UTC
I had the same problem and fixed it by applying the following selinux policy fix:

virtfix.te:
--- start ---

module virtfix 1.0;

require {
	type virtlogd_t;
	type virtnetworkd_var_run_t;
	type virtqemud_t;
	type virt_var_run_t;
	type virtlogd_t;
	class file { append getattr lock open read };
	class dir relabelfrom;
}

#============= virtlogd_t ==============

allow virtlogd_t virtnetworkd_var_run_t:file { append getattr lock open read };

#============= virtqemud_t ==============

allow virtqemud_t virt_var_run_t:dir relabelfrom;

--- end ---

Then compile and install it:

checkmodule -M -m -o virtfix.mod virtfix.te 
semodule_package -o virtfix.pp -m virtfix.mod 
semodule -i virtfix.pp

Comment 2 Georg Müller 2024-04-05 11:27:58 UTC
After applying with semodule, the services have to be restarted:

systemctl restart virtqemud virtlogd virtnetworkd

Comment 3 Łukasz Posadowski 2024-04-08 15:12:53 UTC
@(In reply to Georg Müller from comment #1)
> I had the same problem and fixed it by applying the following selinux policy
> fix:
[...]

I must admit, I have no idea what I just did. (-: And it didn't help either. 

Everytime I try to start a domain, I have

Apr 08 17:03:41 mckenna.ping.local polkitd[1156]: Registered Authentication Agent for unix-process:1732:17710 (system bus name :1.35 [/usr/bin/pkttyagent --process 1732 --notify-fd 4 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 08 17:03:41 mckenna.ping.local polkitd[1156]: Unregistered Authentication Agent for unix-process:1732:17710 (system bus name :1.35, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

in journal. One thing is particularly weird. It is not enough to set selinux into permissive mode. Virsh domains are starting *only* when it is disabled.

Comment 4 Georg Müller 2024-04-10 13:25:03 UTC
After a reboot I also had problems again.

After doing some new rounds of ausearch, audit2allow and module updates I have an updated virtfix.te:

--- start ---

module virtfix 1.0;

require {
	type virtlogd_t;
	type virtnetworkd_var_run_t;
	type virtqemud_t;
	type virt_var_run_t;
	type virtlogd_t;
	class file { append getattr lock open read };
	class dir relabelfrom;
}

#============= virtlogd_t ==============

allow virtlogd_t virtnetworkd_var_run_t:file { append getattr lock open read };
allow virtlogd_t virt_var_run_t:file { append getattr lock open read };

#============= virtqemud_t ==============

allow virtqemud_t virt_var_run_t:dir relabelfrom;

--- end ---

the only additional line is the following:
    allow virtlogd_t virt_var_run_t:file { append getattr lock open read };

Comment 5 Adam Williamson 2024-04-10 22:46:10 UTC
I have this same problem on my regular system (I've been having it for months, but haven't got around to reporting it). However, I can't reproduce it on a clean install of Fedora 40 to a test system - that install can run system session VMs just fine.

For me this only affects system session VMs; I can run user session VMs OK (which is what I've been using as a workaround).

Comment 6 Adam Williamson 2024-04-10 22:49:39 UTC
On my affected system, the context of /run/libvirt/common/system.token is system_u:object_r:virt_var_run_t:s0 . On the fresh install, it's system_u:object_r:virt_common_var_run_t:s0 . Running restorecon -v on it changes the context to virt_common_var_run_t , but virt-manager still cannot launch any system session VMs.

Comment 7 Adam Williamson 2024-04-11 00:17:13 UTC
Also can't reproduce this by doing a clean Fedora 39 install, installing virt-manager, creating and booting a system session VM, then upgrading to F40. The VM still runs fine in the upgraded system. Hrm.

Comment 8 Adam Williamson 2024-04-11 00:53:46 UTC
Oooh. So I found https://www.mail-archive.com/users@lists.libvirt.org/msg00087.html , where someone who also ran into this said doing a complete relabel fixed it for them...and it does for me too!

sudo touch /.autorelabel
reboot
wait a long time
try again

I still see some SELinux denials, but the VM does at least run now.

Comment 9 Zdenek Pytela 2024-04-11 06:32:21 UTC
(In reply to Łukasz Posadowski from comment #3)
> Everytime I try to start a domain, I have
> 
> Apr 08 17:03:41 mckenna.ping.local polkitd[1156]: Registered Authentication
> Agent for unix-process:1732:17710 (system bus name :1.35
> [/usr/bin/pkttyagent --process 1732 --notify-fd 4 --fallback], object path
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> Apr 08 17:03:41 mckenna.ping.local polkitd[1156]: Unregistered
> Authentication Agent for unix-process:1732:17710 (system bus name :1.35,
> object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
> en_US.UTF-8) (disconnected from bus)
> 
> in journal. One thing is particularly weird. It is not enough to set selinux
> into permissive mode. Virsh domains are starting *only* when it is disabled.

Switching the component for further investigation as this really seems weird, maybe related to how virt selinux manager works?

(In reply to Adam Williamson from comment #6)
> On my affected system, the context of /run/libvirt/common/system.token is
> system_u:object_r:virt_var_run_t:s0 . On the fresh install, it's
> system_u:object_r:virt_common_var_run_t:s0 . Running restorecon -v on it
> changes the context to virt_common_var_run_t , but virt-manager still cannot
> launch any system session VMs.

Perhaps this is handled by virt-manager, too?

This is how labels should look like:
f41# matchpathcon /run/libvirt /run/libvirt/common /run/libvirt/common/system.token
/run/libvirt    system_u:object_r:virt_var_run_t:s0
/run/libvirt/common     system_u:object_r:virt_common_var_run_t:s0
/run/libvirt/common/system.token        system_u:object_r:virt_common_var_run_t:s0

What are their actual labels?

Comment 10 Adam Williamson 2024-04-11 06:47:15 UTC
As I did a relabel on mine and it fixed the problem, I don't have the broken state any more :/ It doesn't look like the relabel logged what changes it made either, unfortunately.

Comment 11 Georg Müller 2024-04-11 08:26:11 UTC
I removed my virtfix policy and did checked for wrong labels using fixfiles:

# fixfiles -R libvirt-daemon-driver-qemu,libvirt-daemon-log check
Would relabel /run/libvirt/qemu from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/channel from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/slirp from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/passt from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/dbus from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/autostarted from system_u:object_r:virtqemud_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/dbus from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/passt from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
Would relabel /run/libvirt/qemu/slirp from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:qemu_var_run_t:s0
[... plus some thers which would not be relabeled due to "not reset as customized by admin"  ...]

After running "fixfiles -R libvirt-daemon-driver-qemu,libvirt-daemon-log restore && systemctl restart virtqemud virtlogd", the problem was fixed

Comment 12 Georg Müller 2024-04-11 08:32:39 UTC
After a reboot the problem reappeared (since the fixes were all in /run which is not persistent) - I will check the other packages to find a fix on the real file system

Comment 13 Georg Müller 2024-04-11 09:50:33 UTC
I am missing some knowledge of how the directory creation and selinux labeling works.

Short example:
# ls -laZ /run/libvirt/
total 0
drwxr-xr-x.  9 root root system_u:object_r:virt_var_run_t:s0            620 Apr 11 11:22 .
drwxr-xr-x. 62 root root system_u:object_r:var_run_t:s0                1500 Apr 11 11:21 ..
drwx------.  2 root root system_u:object_r:virt_var_run_t:s0             60 Apr 11 10:41 common
drwxr-xr-x.  2 root root system_u:object_r:virt_var_run_t:s0             40 Apr 11 10:41 hostdevmgr
srw-rw-rw-.  1 root root system_u:object_r:virt_var_run_t:s0              0 Apr 11 10:41 libvirt-sock
drwxr-xr-x.  2 root root system_u:object_r:virt_lxc_var_run_t:s0         60 Apr 11 10:43 lxc
drwxr-xr-x.  3 root root system_u:object_r:virt_var_run_t:s0            160 Apr 11 11:05 network
drwx------.  2 root root system_u:object_r:virtnodedevd_var_run_t:s0     40 Apr 11 11:05 nodedev
drwxr-xr-x.  6 qemu qemu system_u:object_r:virt_var_run_t:s0            140 Apr 11 11:20 qemu
drwxr-xr-x.  2 root root system_u:object_r:virtstoraged_var_run_t:s0     60 Apr 11 11:05 storage

Here, directory "qemu" has the same context as "." (which is /run/libvirt).

If I manually create a directory "secrets" whithin /run/libvirt/, it inherits the context from the directory:

# mkdir /run/libvirt/secrets; ls -ldZ /run/libvirt/secrets
drwxr-xr-x. 2 root root unconfined_u:object_r:virt_var_run_t:s0 40 Apr 11 11:45 /run/libvirt/secrets

There is a policy for /run/libvirt/secrets in /etc/selinux/targeted/contexts/files/file_contexts:
/run/libvirt/secrets(/.*)?	system_u:object_r:virtsecretd_var_run_t:s0

So if I run restorecon on it, it changes the context:
# restorecon -v /run/libvirt/secrets
Relabeled /run/libvirt/secrets from unconfined_u:object_r:virt_var_run_t:s0 to unconfined_u:object_r:virtsecretd_var_run_t:s0


Now the same is true for the /run/libvirt/qemu case, but nobody is running the restorecon. I don't know who is in charge here (for example, who does the relabel for /run/libvirt/lxc or /run/libvirt/nodedev).

Comment 14 Zdenek Pytela 2024-04-11 11:04:00 UTC
(In reply to Georg Müller from comment #13)
> I am missing some knowledge of how the directory creation and selinux
> labeling works.
...
Rule #1 is that objects inherit the label from their parents. However, there can be transitions, which depend on the sourcedomain, target domain, object class, and name, e.g.

f41# sesearch -T -s virtd_t -t virt_var_run_t -c dir 
type_transition virtd_t virt_var_run_t:dir dnsmasq_var_run_t network;
type_transition virtd_t virt_var_run_t:dir qemu_var_run_t qemu;
type_transition virtd_t virt_var_run_t:dir virt_common_var_run_t common;
type_transition virtd_t virt_var_run_t:dir virt_lxc_var_run_t lxc;

Almost independently on that there are default file context rules which are used by restorecon/fixfiles/matchpathcon and also by services which are selinux object managers which can apply the rules. It is neccessary to find out which service creates the directories because something probably had changed recently which caused the labels created incorrectly.

Comment 15 Georg Müller 2024-04-11 14:07:43 UTC
Thanks for the hint.

After playing around a bit, I saw that some transitions were missing:

The following virt_transition.te fixes adds the missing transitions (not sure if "class dir link" is correct, but I have to specify an attribute (just "class dir" does not compile)):

--- start ---
module virt_transition 1.0;

require {
	type virtqemud_t;
	type virtlogd_t;
	type virt_common_var_run_t;
	type virtd_lxc_t;
	type virt_var_run_t;
	type qemu_var_run_t;
	class dir link;
}

type_transition virtqemud_t virt_var_run_t:dir qemu_var_run_t "qemu";
type_transition virtlogd_t virt_var_run_t:dir virt_common_var_run_t "common";
type_transition virtd_lxc_t virt_var_run_t:dir virt_common_var_run_t "common";
--- end ---

checkmodule -M -m -o virt_transition.mod virt_transition.te && semodule_package -o virt_transition.pp -m virt_transition.mod && semodule -i virt_transition.pp

After a reboot, the "fixfiles check /run/libvirt/" still contains some relabels:
Would relabel /run/libvirt/network from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0
Would relabel /run/libvirt/network/autostarted from system_u:object_r:virtnetworkd_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0
Would relabel /run/libvirt/network/default.xml from system_u:object_r:virtnetworkd_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0
Would relabel /run/libvirt/network/test2.xml from system_u:object_r:virtnetworkd_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0
Would relabel /run/libvirt/network/test1.xml from system_u:object_r:virtnetworkd_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0
Would relabel /run/libvirt/network/default from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0
Would relabel /run/libvirt/network/default/ports from system_u:object_r:virt_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0
Would relabel /run/libvirt/network/driver.pid from system_u:object_r:virtnetworkd_var_run_t:s0 to system_u:object_r:dnsmasq_var_run_t:s0

Not sure if this should get fixed via a transition as well...

Comment 16 Adam Williamson 2024-04-11 15:00:21 UTC
I would guess it's most likely libvirt. Doesn't seem to be tmpfiles.

I haven't rebooted my system manually since doing a system-wide relabel, but I think there's an *automatic* reboot after the relabel completes, so it seems like that fix probably does survive a reboot. I'll try and remember to reboot again some time today and see if it's still working.

Comment 17 Georg Müller 2024-04-11 17:41:25 UTC
I would say it is selinux-policy which needs an update.

On my system, virtlxcd.service, virtqemud.service and virtxend.service start after a boot, but the order is random.

The first of these services will create /run/libvirt/common.
* if this is virtlxcd, then /run/libvirt/common will be labeled wrong, because the transition is missing.
* if this is virtqemud or virtxend, then /run/libvirt/commin will be labeled correctly, because there is a transition

Every virtd-daemon available needs the transition for common. And the transition for qemud was missing.

I don't know until when virtd.service was used before (it is still in the After= section of the systemd service files of virtlxcd, virtqemud and virtxend, but not started).

I think what is missing in policy/modules/contrib/virt.te of selinux-policy is:

virt_driver_template(virtd_lxc_t) # this one will generate the transition line for "common"
filetrans_pattern(virtqemud_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") # this one will generate the file transition for qemu

Comment 18 Zdenek Pytela 2024-04-11 19:44:31 UTC
(In reply to Georg Müller from comment #17)
> I would say it is selinux-policy which needs an update.
I am not telling it isn't, I just switched the component since I did not quite understand the files creation workflow and why it started to manifest right before F40 GA time.

> On my system, virtlxcd.service, virtqemud.service and virtxend.service start
> after a boot, but the order is random.
> 
> The first of these services will create /run/libvirt/common.
> * if this is virtlxcd, then /run/libvirt/common will be labeled wrong,
> because the transition is missing.
> * if this is virtqemud or virtxend, then /run/libvirt/commin will be labeled
> correctly, because there is a transition
This is very important bit of information.

> 
> Every virtd-daemon available needs the transition for common. And the
> transition for qemud was missing.
> 
> I don't know until when virtd.service was used before (it is still in the
> After= section of the systemd service files of virtlxcd, virtqemud and
> virtxend, but not started).
> 
> I think what is missing in policy/modules/contrib/virt.te of selinux-policy
> is:
> 
> virt_driver_template(virtd_lxc_t) # this one will generate the transition
> line for "common"
OK, but it also adds a lot more which I am not really sure it is wise to add.

> filetrans_pattern(virtqemud_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
> # this one will generate the file transition for qemu
This sounds reasonable.

Thank you for all your inputs.

You also reported an issue with virtnetworkd_var_run_t, but no details included. Please elaborate on that.

Also feel free to switch the component back to selinux-policy if you are positive about the needed changes.
In the meantime, I created a PR draft, there will be a scratchbuild available in https://github.com/fedora-selinux/selinux-policy/pull/2078/checks?check_run_id=23725046198 soon.

Comment 19 Zdenek Pytela 2024-04-11 19:46:44 UTC
(In reply to Adam Williamson from comment #16)
> I would guess it's most likely libvirt. Doesn't seem to be tmpfiles.
> 
> I haven't rebooted my system manually since doing a system-wide relabel, but
> I think there's an *automatic* reboot after the relabel completes, so it
> seems like that fix probably does survive a reboot. I'll try and remember to
> reboot again some time today and see if it's still working.

fixfiles onboot
is a command which reboots after relabeling is done.

touch /.autorelabel
effects in the same action.

Note autorelabel skips runtime filesystems like /run or /tmp. These can be relabeled only when the system is running.

Comment 20 Georg Müller 2024-04-11 19:56:03 UTC
(In reply to Zdenek Pytela from comment #18)
> 
> You also reported an issue with virtnetworkd_var_run_t, but no details
> included. Please elaborate on that.

This was just an observation. After running a VM, there are some files in /run/libvirt which selinux would label differently. I see no problems with the network when using the VM.

> Also feel free to switch the component back to selinux-policy if you are
> positive about the needed changes.

I think I am lacking permission to do so, but this would be my suggestion.

> In the meantime, I created a PR draft, there will be a scratchbuild
> available in
> https://github.com/fedora-selinux/selinux-policy/pull/2078/
> checks?check_run_id=23725046198 soon.

Thank you. I will give it a test

Comment 21 Adam Williamson 2024-04-11 20:28:48 UTC
"I did not quite understand the files creation workflow and why it started to manifest right before F40 GA time."

For me it didn't, I've had problems with this for months. I just didn't get around to reporting it. I've been using the user session instead of system session for pretty much the whole f40 cycle, I think.

"Note autorelabel skips runtime filesystems like /run or /tmp. These can be relabeled only when the system is running."

Huh. So did I just get lucky with the transition on this boot, maybe? It sounds like it's a lottery, if Georg's interpretation is correct.

Comment 22 Zdenek Pytela 2024-04-11 20:41:21 UTC
(In reply to Adam Williamson from comment #21)
> "I did not quite understand the files creation workflow and why it started
> to manifest right before F40 GA time."
> 
> For me it didn't, I've had problems with this for months. I just didn't get
> around to reporting it. I've been using the user session instead of system
> session for pretty much the whole f40 cycle, I think.
The related part of policy was updated in selinux-policy-40.2 (Oct 2023).

> "Note autorelabel skips runtime filesystems like /run or /tmp. These can be
> relabeled only when the system is running."
> 
> Huh. So did I just get lucky with the transition on this boot, maybe? It
> sounds like it's a lottery, if Georg's interpretation is correct.

If Greg is correct, the policy needs to be updated to support every possible starting order.
Non-persistent directories do not persist reboot, therefore labels don't either.

Comment 23 Jeff 2024-04-19 13:51:32 UTC
If this is SELinux related then this thread could easily be related.
https://discussion.fedoraproject.org/t/virt-manager-quit-working-ibvirterror-cant-connect-to-virtlogd/113631/4
That was related to changes in context under /var/log/libvirt and permissions on /var/log/libvirt/qemu/

Comment 24 bos 2024-04-25 09:29:02 UTC
Hi All,

I too experience this issue. Just for reference: auto relaeling on boot did not work for me. I was however able to start a VM (using virsh) after executing:

fixfiles -R libvirt-daemon-driver-qemu,libvirt-daemon-log restore && systemctl restart virtqemud virtlogd

as root. I ran into another permission error, so leaving the sealert log here for reference. At least I now have a usable VM.

---

SELinux is preventing rpc-virtqemud from setattr access on the chr_file userfaultfd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rpc-virtqemud should be allowed setattr access on the userfaultfd chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
# semodule -X 300 -i my-rpcvirtqemud.pp


Additional Information:
Source Context                system_u:system_r:virtqemud_t:s0
Target Context                system_u:object_r:svirt_image_t:s0:c746,c886
Target Objects                userfaultfd [ chr_file ]
Source                        rpc-virtqemud
Source Path                   rpc-virtqemud
Port                          <Unknown>
Host                          dhcp-10-132-219-29
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.16-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.16-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-10-132-219-29
Platform                      Linux dhcp-10-132-219-29 6.8.7-300.fc40.x86_64 #1
                              SMP PREEMPT_DYNAMIC Wed Apr 17 19:21:08 UTC 2024
                              x86_64
Alert Count                   1
First Seen                    2024-04-25 11:08:49 CEST
Last Seen                     2024-04-25 11:08:49 CEST
Local ID                      e3294c01-b5f3-4692-94d0-30d19de58027

Raw Audit Messages
type=AVC msg=audit(1714036129.550:620): avc:  denied  { setattr } for  pid=8593 comm="rpc-virtqemud" name="userfaultfd" dev="tmpfs" ino=7 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c746,c886 tclass=chr_file permissive=1


Hash: rpc-virtqemud,virtqemud_t,svirt_image_t,chr_file,setattr
---

Cheers,

Yorgos

Comment 25 Christopher Klooz 2024-04-25 14:13:26 UTC
This ask.fedora topic could be linked: https://discussion.fedoraproject.org/t/unable-to-create-new-virt-manager-vm-with-software-tpm-on-fedora-40/114254

-> it is not yet clear if the user has something different or if the problem just behaves differently because of their use of swtpm (I have no experience with swtpm impact(s)). I asked the user for some related data.

-----

I have the issue myself, likely the same as elaborated here. My `ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today` output extract of creating and starting VMs in virt-manager is sometimes (I guess the second denial in the first box is irrelevant)
```
type=AVC msg=audit(04/25/2024 12:03:58.187:452) : avc:  denied  { relabelfrom } for  pid=7579 comm=rpc-virtqemud name=1-fedora39 dev="tmpfs" ino=3228 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(04/25/2024 12:03:58.348:455) : avc:  denied  { read append } for  pid=7583 comm=virtlogd name=system.token dev="tmpfs" ino=2507 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=0 
```
and sometimes:
```
type=AVC msg=audit(04/24/2024 23:22:11.260:847) : avc:  denied  { relabelfrom } for  pid=48709 comm=rpc-virtqemud name=6-Fedora-40-KDE dev="tmpfs" ino=4723 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 
```

The immediate error output of virt-manager is:
`Error starting domain: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied`

Cockpit causes the same issue:
`can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied`

Comment 26 Christopher Klooz 2024-04-26 08:46:03 UTC
Another ask fedora topic of a user with the problem who provided some additional data and ausearch outputs: https://discussion.fedoraproject.org/t/tpm-does-not-work-virt-manager-fedora-40/114455

I asked him to file some data here but to not create an additional report (clearly the rpc-virtqemud denials). The user says their VMs are only affected when swtpm is active but not without, yet their denials at least when swtpm is active in a VM equal the "rpc-virtqemud" denials plus an additional "swtpm" denial (see the ask fedora topic). I asked for further data and comparison of with and without swtpm.

Additionally, in ask.fedora (in an earlier topic) users have been directed away from this bug report from the Common Issues team and asked to create a separate bug report if autorelabeling does not solve their issue. I am not sure if that is intended? Autorelabeling seems not a solution here though?

Comment 27 Daniel Berrangé 2024-04-30 14:33:53 UTC
For anyone suffering this problem, please ensure you have selinux-policy-40.17-1.fc40 installed (just pushed to stable updates today - see https://bugzilla.redhat.com/show_bug.cgi?id=2274414).

Note, however, that merely installing this version is insufficient.

Once the system.token error hits, the /var/run/libvirt dir needs relabelling *AND* all libvirt daemons, especially virtlogd, need to be restarted.

Given that /var/run is tmpfs, the simplest thing is to reboot after installing the selinux-policy RPM update, since that will cause /var/run subtree to be re-created and thus relabelled.

Comment 28 Daniel Berrangé 2024-04-30 14:36:18 UTC
BTW, do NOT restart 'virtlogd'  while any VMs are running, as you will loose subsequent logs from them.

Comment 29 Christopher Klooz 2024-04-30 14:44:38 UTC
Thanks. I can confirm this works. I put it as solution to ask.fedora.


Note You need to log in before you can comment on or make changes to this bug.