Summary: SELinux is preventing /usr/bin/qemu-kvm "execute" access on /usr/bin/pulseaudio. Detailed Description: SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:svirt_t:s0:c145,c652 Target Context system_u:object_r:pulseaudio_exec_t:s0 Target Objects /usr/bin/pulseaudio [ file ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host (removed) Source RPM Packages qemu-system-x86-0.11.0-13.fc12 Target RPM Packages pulseaudio-0.9.21-5.fc12 Policy RPM selinux-policy-3.6.32-108.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Tue 13 Apr 2010 11:42:50 AM EDT Last Seen Tue 13 Apr 2010 11:42:51 AM EDT Local ID 185a5a89-8a6f-4221-b1e0-19c33404264a Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1271173371.86:62): avc: denied { execute } for pid=8038 comm="qemu-kvm" name="pulseaudio" dev=dm-1 ino=259597 scontext=system_u:system_r:svirt_t:s0:c145,c652 tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1271173371.86:62): arch=c000003e syscall=59 success=no exit=-13 a0=7fcb74014ad0 a1=7fcb44be99d0 a2=7fff33a45de0 a3=7fcb44be9740 items=0 ppid=7982 pid=8038 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c145,c652 key=(null) Hash String generated from catchall,qemu-kvm,svirt_t,pulseaudio_exec_t,file,execute audit2allow suggests: #============= svirt_t ============== allow svirt_t pulseaudio_exec_t:file execute;
Does pulseaudio actually work now with qemu launched from libvirt? Or should this just be dontaudited?
The support has been added and it should work fine. Please allow this access.
This is an artifact of the pulse audio client library code, rather than QEMU. It will try to connect to an existing pulseaudio server, and if unsuccessful spawn a new one. We really don't want this auto-spawning to be done from QEMU, but (AFAIK) there's no API to prevent it. In addition even if auto-spawning was allowed by SELinux, it still wouldn't work because the 'qemu' user won't have any permissions to the /dev/snd/* devices.
So for now I can dontaudit it trying to execute pulseaudio.