Description of problem: If I try to run virt-manager clicking the "run unpriviliged" button when asked for a root passwword, and tthen double click on the localhost qemu entry that appears, I get this dialogue box: Unable to open a connection to the libvirt management daemon. Verify that: - The 'libvirtd' daemon has been started Unable to open connection to hypervisor URI 'qemu:///system': <class 'libvirt.libvirtError'> virConnectOpenAuth() failed authentication failed Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/connection.py", line 430, in _open_thread None], flags) File "/usr/lib64/python2.5/site-packages/libvirt.py", line 94, in openAuth if ret is None:raise libvirtError('virConnectOpenAuth() failed') libvirtError: virConnectOpenAuth() failed authentication failed I can confirm libvirt is started. Also two SElinux denials happens at this point: Summary: SELinux is preventing libvirtd (virtd_t) "ptrace" to <Unknown> (unconfined_t). Detailed Description: SELinux denied access requested by libvirtd. It is not expected that this access is required by libvirtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:virtd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source libvirtd Source Path /usr/sbin/libvirtd Port <Unknown> Host withnail.phys.ucl.ac.uk Source RPM Packages libvirt-0.4.2-4.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-62.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name withnail.phys.ucl.ac.uk Platform Linux withnail.phys.ucl.ac.uk 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May 21 17:34:18 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Tue 10 Jun 2008 05:00:28 PM BST Last Seen Tue 10 Jun 2008 05:01:27 PM BST Local ID 7287d481-6fb9-4fe0-a3ff-03a1525f2f8f Line Numbers Raw Audit Messages host=withnail.phys.ucl.ac.uk type=AVC msg=audit(1213113687.305:1918): avc: denied { ptrace } for pid=29646 comm="libvirtd" scontext=unconfined_u:system_r:virtd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=withnail.phys.ucl.ac.uk type=SYSCALL msg=audit(1213113687.305:1918): arch=c000003e syscall=89 success=no exit=-13 a0=7fff3974fb20 a1=7fff3974fc30 a2=fff a3=8101010101010100 items=0 ppid=1 pid=29646 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=207 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:virtd_t:s0 key=(null) Summary: SELinux is preventing polkit-resolve- (polkit_resolve_t) "getattr" to /proc/<pid> (virtd_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /proc/<pid>, restorecon -v '/proc/<pid>' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:polkit_resolve_t:s0 Target Context unconfined_u:system_r:virtd_t:s0 Target Objects /proc/<pid> [ dir ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host withnail.phys.ucl.ac.uk Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-62.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name withnail.phys.ucl.ac.uk Platform Linux withnail.phys.ucl.ac.uk 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May 21 17:34:18 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Tue 10 Jun 2008 05:00:28 PM BST Last Seen Tue 10 Jun 2008 05:01:27 PM BST Local ID a23084f3-7ebf-4658-b351-15edbf93a391 Line Numbers Raw Audit Messages host=withnail.phys.ucl.ac.uk type=AVC msg=audit(1213113687.315:1919): avc: denied { getattr } for pid=2809 comm="polkit-resolve-" path="/proc/29646" dev=proc ino=444152 scontext=unconfined_u:system_r:polkit_resolve_t:s0 tcontext=unconfined_u:system_r:virtd_t:s0 tclass=dir host=withnail.phys.ucl.ac.uk type=SYSCALL msg=audit(1213113687.315:1919): arch=c000003e syscall=4 success=no exit=-13 a0=15a02d0 a1=7fff6445cc30 a2=7fff6445cc30 a3=3714d67a58 items=0 ppid=29646 pid=2809 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=207 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=unconfined_u:system_r:polkit_resolve_t:s0 key=(null) Version-Release number of selected component (if applicable): # rpm -qa | grep virt libvirt-python-0.4.2-4.fc9.x86_64 virt-manager-0.5.4-4.fc9.x86_64 libvirt-0.4.2-4.fc9.x86_64 python-virtinst-0.300.3-7.fc9.noarch # rpm -qa | grep selinux libselinux-2.0.64-2.fc9.x86_64 selinux-policy-3.3.1-62.fc9.noarch libselinux-python-2.0.64-2.fc9.x86_64 libselinux-2.0.64-2.fc9.i386 selinux-policy-targeted-3.3.1-62.fc9.noarch How reproducible: Everytime Steps to Reproduce: 1.Start virt-manager 2.Click run unpriveliged 3.Double click on localhost qemu in the virt-manager window
Looks like this was fixed in an selinux-policy update: * Mon Jun 02 2008 Dan Walsh <dwalsh> 3.3.1-64 - Allow policykit_resolve to ptrace all levels * Fri May 30 2008 Dan Walsh <dwalsh> 3.3.1-63 - Allow policykit_resolve to ptrace user processes * Fri May 30 2008 Dan Walsh <dwalsh> 3.3.1-61 - Allow policykit_resolve to read users process table * Thu May 29 2008 Dan Walsh <dwalsh> 3.3.1-60 - Allow policykit_resolve to read polkit_var_lib - Other policykit fixes Closing as CURRENTRELEASE.