Bug 515547 - libvirt fails to start guest - Failed to set security label
libvirt fails to start guest - Failed to set security label
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
Blocks: F12VirtBlocker
  Show dependency treegraph
Reported: 2009-08-04 13:49 EDT by Mark McLoughlin
Modified: 2009-08-06 05:30 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-08-05 17:00:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark McLoughlin 2009-08-04 13:49:29 EDT
Not sure what's changed here, but with libvirt-0.7.0 snapshot from rawhide, I'm seeing this:

  error: Failed to start domain rawhide-2009-05-12
  error: internal error unable to start guest: libvir: Security Labeling error : 
  SELinuxSetFilecon: unable to set security context 
  'system_u:object_r:svirt_image_t:s0:c189,c564' on /var/lib/libvirt/images
  /rawhide.img: No such file or directory.
  libvir: QEMU error : internal error Failed to set security label

  type=SYSCALL msg=audit(1249407382.238:173): arch=c000003e syscall=188 
  success=no exit=-13 a0=cdbfa0 a1=7f9274a01b19 a2=7f92540cd8f0 a3=2d items=0 
  ppid=1689 pid=16179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
  sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr
  /sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(1249407382.238:173): avc:  denied  { associate } for  
  pid=16179 comm="libvirtd" name="rawhide.img" dev=dm-0 ino=3466671 
  tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

Similar error when trying to kick off a new install with virt-install
Comment 1 Mark McLoughlin 2009-08-05 12:11:30 EDT
Here's what I'm seeing in strace:

  setxattr("/var/lib/libvirt/images/rawhide.img", "security.selinux", 
  "system_u:object_r:svirt_image_t:s0:c563,c596", 45, 0) = -1 EACCES (Permission 
  getxattr("/var/lib/libvirt/images/rawhide.img", "security.selinux", 
           "system_u:object_r:virt_image_t:s0", 255) = 34
  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 3
  connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) 
          = -1 ENOENT (No such file or directory)

i.e. setxattr() is returning EACCES, the ENOENT comes later
Comment 2 Eric Paris 2009-08-05 14:03:46 EDT
What kind of fs is /var/lib/libvirt/images?
Comment 3 Mark McLoughlin 2009-08-05 16:25:17 EDT
It's just my ext3 root fs on an LVM volume

danpb and I discussed this briefly earlier and we can't see what changed in libvirt to cause this; could it be a policy regression?
Comment 4 Daniel Walsh 2009-08-05 17:00:54 EDT
Fixed in selinux-policy-3.6.26-6.fc12

Lost an attribute do to update to upstream.
Comment 5 Mark McLoughlin 2009-08-06 05:30:24 EDT
thanks, that fixed it

Note You need to log in before you can comment on or make changes to this bug.