515547 – libvirt fails to start guest - Failed to set security label

Bug 515547 - libvirt fails to start guest - Failed to set security label

Summary: libvirt fails to start guest - Failed to set security label

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F12VirtBlocker
TreeView+	depends on / blocked

Reported:	2009-08-04 17:49 UTC by Mark McLoughlin
Modified:	2009-08-06 09:30 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-08-05 21:00:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mark McLoughlin 2009-08-04 17:49:29 UTC

Not sure what's changed here, but with libvirt-0.7.0 snapshot from rawhide, I'm seeing this:

  error: Failed to start domain rawhide-2009-05-12
  error: internal error unable to start guest: libvir: Security Labeling error : 
  SELinuxSetFilecon: unable to set security context 
  'system_u:object_r:svirt_image_t:s0:c189,c564' on /var/lib/libvirt/images
  /rawhide.img: No such file or directory.
  libvir: QEMU error : internal error Failed to set security label

  type=SYSCALL msg=audit(1249407382.238:173): arch=c000003e syscall=188 
  success=no exit=-13 a0=cdbfa0 a1=7f9274a01b19 a2=7f92540cd8f0 a3=2d items=0 
  ppid=1689 pid=16179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
  sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr
  /sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(1249407382.238:173): avc:  denied  { associate } for  
  pid=16179 comm="libvirtd" name="rawhide.img" dev=dm-0 ino=3466671 
  scontext=system_u:object_r:svirt_image_t:s0:c189,c564 
  tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

Similar error when trying to kick off a new install with virt-install

Comment 1 Mark McLoughlin 2009-08-05 16:11:30 UTC

Here's what I'm seeing in strace:

  setxattr("/var/lib/libvirt/images/rawhide.img", "security.selinux", 
  "system_u:object_r:svirt_image_t:s0:c563,c596", 45, 0) = -1 EACCES (Permission 
  denied)
  getxattr("/var/lib/libvirt/images/rawhide.img", "security.selinux", 
           "system_u:object_r:virt_image_t:s0", 255) = 34
  socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 3
  connect(3, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) 
          = -1 ENOENT (No such file or directory)

i.e. setxattr() is returning EACCES, the ENOENT comes later

Comment 2 Eric Paris 2009-08-05 18:03:46 UTC

What kind of fs is /var/lib/libvirt/images?

Comment 3 Mark McLoughlin 2009-08-05 20:25:17 UTC

It's just my ext3 root fs on an LVM volume

danpb and I discussed this briefly earlier and we can't see what changed in libvirt to cause this; could it be a policy regression?

Comment 4 Daniel Walsh 2009-08-05 21:00:54 UTC

Fixed in selinux-policy-3.6.26-6.fc12

Lost an attribute do to update to upstream.

Comment 5 Mark McLoughlin 2009-08-06 09:30:24 UTC

thanks, that fixed it

Note You need to log in before you can comment on or make changes to this bug.