Bug 447229 - virtual machine manager fails to start guests
virtual machine manager fails to start guests
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-05-18 19:09 EDT by Jason Taylor
Modified: 2008-05-20 15:18 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-20 15:18:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jason Taylor 2008-05-18 19:09:22 EDT
Description of problem: After fresh DVD install of F9, when trying to setup new
guests with VMM, "Finish" portion of setup fails with "Unable to open.." error.
No SElinux AVC error pops up, I discovered it was an SElinux issue after setting
selinux to permissive. AVC then popped up with errors about labeling issues,
when following its instructions in the alert (restorecon -v
/home/jason/myimagefile.img) the labeling error was subsequently still logged.

Version-Release number of selected component (if applicable): targeted-policy.23

How reproducible: anytime a guest through VMM is attempted to be setup.

Steps to Reproduce:
1. setup a guest with virtual machine manager
Actual results: errors when clicking "Finish" with an "Unable to open..." error.

Expected results: Install of guest continues

Additional info: I ended up running a audit2allow -M mypol -i
/var/log/audit/audit.log and then semodule -i mypol.pp and everything worked as
Comment 1 Daniel Walsh 2008-05-19 20:44:08 EDT
Please attach the avc messages you were getting 
Comment 2 Jason Taylor 2008-05-20 11:16:19 EDT
Sorry about that. Here is what got logged in permissive mode, relabeling the
file and directory did not correct the problem.



SELinux is preventing the qemu-kvm from using potentially mislabeled files

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied qemu-kvm access to potentially mislabeled file(s)
(/home/jason/xpguest.img). This means that SELinux will not allow qemu-kvm to
use these files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The problem is
that the files end up with the wrong file context which confined applications
are not allowed to access.

Allowing Access:

If you want qemu-kvm to access this files, you need to relabel them using
restorecon -v '/home/jason/xpguest.img'. You might want to relabel the entire
directory using restorecon -R -v '/home/jason'.

Additional Information:

Source Context                system_u:system_r:qemu_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/jason/xpguest.img [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          bruiser.localdomain
Source RPM Packages           kvm-65-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     bruiser.localdomain
Platform                      Linux bruiser.localdomain
                              #1 SMP Tue May 13 04:54:47 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Sun May 18 11:36:52 2008
Last Seen                     Sun May 18 13:19:33 2008
Local ID                      9b5bfb03-83ad-4fd0-815f-48290dfe52d3
Line Numbers                  

Raw Audit Messages            

host=bruiser.localdomain type=AVC msg=audit(1211131173.797:87): avc:  denied  {
getattr } for  pid=18539 comm="qemu-kvm" path="/home/jason/xpguest.img" dev=dm-1
ino=360652 scontext=system_u:system_r:qemu_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

host=bruiser.localdomain type=SYSCALL msg=audit(1211131173.797:87):
arch=c000003e syscall=4 success=yes exit=0 a0=7fff03fffff0 a1=7fff03ffd5f0
a2=7fff03ffd5f0 a3=0 items=0 ppid=2590 pid=18539 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
Comment 3 Daniel Walsh 2008-05-20 11:25:11 EDT
chcon -t virt_image_t /home/jason/xguest.img should fix this.

Comment 4 Jason Taylor 2008-05-20 15:18:49 EDT
All set, thanks dwalsh!

Note You need to log in before you can comment on or make changes to this bug.