Description of problem: After fresh DVD install of F9, when trying to setup new guests with VMM, "Finish" portion of setup fails with "Unable to open.." error. No SElinux AVC error pops up, I discovered it was an SElinux issue after setting selinux to permissive. AVC then popped up with errors about labeling issues, when following its instructions in the alert (restorecon -v /home/jason/myimagefile.img) the labeling error was subsequently still logged. Version-Release number of selected component (if applicable): targeted-policy.23 How reproducible: anytime a guest through VMM is attempted to be setup. Steps to Reproduce: 1. setup a guest with virtual machine manager 2. 3. Actual results: errors when clicking "Finish" with an "Unable to open..." error. Expected results: Install of guest continues Additional info: I ended up running a audit2allow -M mypol -i /var/log/audit/audit.log and then semodule -i mypol.pp and everything worked as expected.
Please attach the avc messages you were getting
Sorry about that. Here is what got logged in permissive mode, relabeling the file and directory did not correct the problem. Excerpt: Summary: SELinux is preventing the qemu-kvm from using potentially mislabeled files (/home/jason/xpguest.img). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied qemu-kvm access to potentially mislabeled file(s) (/home/jason/xpguest.img). This means that SELinux will not allow qemu-kvm to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want qemu-kvm to access this files, you need to relabel them using restorecon -v '/home/jason/xpguest.img'. You might want to relabel the entire directory using restorecon -R -v '/home/jason'. Additional Information: Source Context system_u:system_r:qemu_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/jason/xpguest.img [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host bruiser.localdomain Source RPM Packages kvm-65-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name bruiser.localdomain Platform Linux bruiser.localdomain 2.6.25.3-18.fc9.x86_64 #1 SMP Tue May 13 04:54:47 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Sun May 18 11:36:52 2008 Last Seen Sun May 18 13:19:33 2008 Local ID 9b5bfb03-83ad-4fd0-815f-48290dfe52d3 Line Numbers Raw Audit Messages host=bruiser.localdomain type=AVC msg=audit(1211131173.797:87): avc: denied { getattr } for pid=18539 comm="qemu-kvm" path="/home/jason/xpguest.img" dev=dm-1 ino=360652 scontext=system_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=bruiser.localdomain type=SYSCALL msg=audit(1211131173.797:87): arch=c000003e syscall=4 success=yes exit=0 a0=7fff03fffff0 a1=7fff03ffd5f0 a2=7fff03ffd5f0 a3=0 items=0 ppid=2590 pid=18539 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
chcon -t virt_image_t /home/jason/xguest.img should fix this.
All set, thanks dwalsh!