When starting a KVM guest in permissive mode with libvirt-0.6.0-2.fc10.i386: type=AVC msg=audit(1234085826.195:72): avc: denied { write } for pid=8412 comm="qemu-kvm" name="qemu" dev=dm-1 ino=649746 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir type=AVC msg=audit(1234085826.195:72): avc: denied { add_name } for pid=8412 comm="qemu-kvm" name="fedora10.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir type=AVC msg=audit(1234085826.195:72): avc: denied { create } for pid=8412 comm="qemu-kvm" name="fedora10.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file type=AVC msg=audit(1234085826.195:72): avc: denied { read write } for pid=8412 comm="qemu-kvm" name="fedora10.pid" dev=dm-1 ino=647769 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file type=AVC msg=audit(1234085826.195:73): avc: denied { lock } for pid=8412 comm="qemu-kvm" path="/var/run/libvirt/qemu/fedora10.pid" dev=dm-1 ino=647769 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file
This is the important bit: path="/var/run/libvirt/qemu/fedora10.pid" The new libvirt now tells QEMU to write out a PID file on startup. So we need to add this directory to the SELinux policy for the QEMU domain type: /var/run/libvirt/qemu(/.*)? NB, this directory is already listed in the %files section of the libvirt RPM, so if policy gets updated, it should get labelled correctly. cf, similar problem with dnsmasq PID file bug 484199
Dan you are the man. Miroslav add type qemu_var_run_t; files_pid_file(qemu_var_run_t) ... manage_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t) files_pid_filetrans(qemu_t, qemu_var_run_t, file) to qemu.te /var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0) In qemu.fc In both F9 and F10.
Fixed in selinux-policy-3.5.13-45.fc10
This still does not work. selinux-policy-3.5.13-46.fc10.noarch libvirt-0.6.0-3.fc10.x86_64 After running restorecon the directory looks like this: $ ls -Za /var/run/libvirt/qemu/ drwxr-xr-x root root system_u:object_r:virt_var_run_t:s0 . drwxr-xr-x root root system_u:object_r:virt_var_run_t:s0 .. which leads to the following denial messages in permissive mode: node=roadrunner type=AVC msg=audit(1235579520.39:140): avc: denied { lock } for pid=10497 comm="qemu-kvm" path="/var/run/libvirt/qemu/Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file node=roadrunner type=SYSCALL msg=audit(1235579520.39:140): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=6 a2=7fffc0037f30 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null) node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { write } for pid=10497 comm="qemu-kvm" name="qemu" dev=sda2 ino=4458842 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { add_name } for pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { create } for pid=10497 comm="qemu-kvm" name="Windows.pid" scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file node=roadrunner type=AVC msg=audit(1235579520.34:139): avc: denied { read write } for pid=10497 comm="qemu-kvm" name="Windows.pid" dev=sda2 ino=4457298 scontext=unconfined_u:system_r:qemu_t:s0 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=file node=roadrunner type=SYSCALL msg=audit(1235579520.34:139): arch=c000003e syscall=2 success=no exit=-2039644200 a0=7fffc003ae66 a1=42 a2=180 a3=3b3616da70 items=0 ppid=10496 pid=10497 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0 key=(null) ----- After setting the directory's context to 'system_u:object_r:qemu_var_run_t:s0' too, it works fine.
I resolved this on my system by creating a file, virt2.te, containing --- policy_module(virt2,1.0.4) require { type qemu_t; type virt_var_run_t; } #============= qemu_t ============== allow qemu_t virt_var_run_t:dir { write add_name }; allow qemu_t virt_var_run_t:file { read write create lock }; --- and I then ran # make -f /usr/share/selinux/devel/Makefile # semodule -i virt2.pp # restorecon -Rv /var/lib/libvirt/qemu It's working for me with libvirt-0.6.0-2.fc10.i386 selinux-policy-3.5.13-45.fc10.noarch Hope this helps, /Anders
Ok, I will fix qemu labeling to correct form.
Should have been /var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0) Not /var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0) My mistake.
Fixed in selinux-policy-3.5.13-47.fc10
Fix is now in F10 stable: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2245