Bug 523993 - KVM Live migration failure with SELinux Enforcing
Summary: KVM Live migration failure with SELinux Enforcing
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: F12VirtBlocker
TreeView+ depends on / blocked
Reported: 2009-09-17 14:31 UTC by Chris Lalancette
Modified: 2009-09-17 19:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-09-17 19:48:27 UTC

Attachments (Terms of Use)

Description Chris Lalancette 2009-09-17 14:31:52 UTC
Description of problem:
I'm trying to do live migration testing with Fedora 12 as part of the Virtualization test day.  However, when I have both the source and destination machine of the migration in Enforcing mode, the migration fails to complete.  Just for reference, the idea behind live migration in libvirt with qemu is:

1)  Run a Prepare step on the destination of the migration.  This chooses a port between 49152 and 49216, and starts up the qemu container on the destination side listening to this port.

2)  Run a Perform step on the source side of the migration.  This actually performs the migration.

3)  Run a Finish step on the destination side of the migration.  In the case of failure, it cleans up the qemu container.  In the case of success, it unpauses the guest and sets it running.

What I'm seeing is that the first step, Prepare, is completing successfully.  However, the Perform step seems to be hanging up, and I'm seeing this in /var/log/audit/audit.log:

type=AVC msg=audit(1253211844.774:142): avc:  denied  { name_connect } for  pid=23056 comm="qemu-kvm" dest=49152 scontext=system_u:system_r:svirt_t:s0:c405,c410 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1253211844.774:142): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=7fffea3b38c0 a2=10 a3=7fffea3b3650 items=0 ppid=1 pid=23056 auid=0 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=3 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c405,c410 key=(null)

Comment 1 Daniel Walsh 2009-09-17 19:48:27 UTC
Fixed in selinux-policy-3.6.32-2.fc12.noarch

Note You need to log in before you can comment on or make changes to this bug.