Description of problem: guestfish-related commands, guestfish or virt- (other than virt-manager) fail with permission denied. Often (but not always) accompanied by an SELinux message about access to sock. Version-Release number of selected component (if applicable): 1.6.2 How reproducible: reproduceable SELinux message: type=AVC msg=audit(1292626972.134:149515): avc: denied { write } for pid=6003 comm="qemu-kvm" name="sock" dev=sda2 ino=169564 scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file Examples: [root@Cimbaoth images]# guestfish --ro -d XP02 -i connect(unix:/tmp/libguestfsP6FaZR/sock): Permission denied chardev: opening backend "socket" failed libguestfs: error: child process died unexpectedly [root@Cimbaoth images]# virt-df Filesystem 1K-blocks Used Available Use% connect(unix:/tmp/libguestfsWpoifI/sock): Permission denied chardev: opening backend "socket" failed child process died unexpectedly at /usr/bin/virt-df line 377. ...caught at /usr/bin/virt-df line 411. [root@Cimbaoth images]# virt-ls F13.img / connect(unix:/tmp/libguestfsDf9UeI/sock): Permission denied chardev: opening backend "socket" failed child process died unexpectedly at /usr/bin/virt-ls line 190.
Seems to be SELinux-related, reassigning.
What are your outputs # getsebool -a | grep qemu_transition # ls -Z `which guestfish`
[Not answering NEEDINFO, we still need this information from the reporter] These are from Fedora 14: $ sudo getsebool -a | grep qemu_transition allow_unconfined_qemu_transition --> off $ ls -Z /usr/bin/guestfish -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/guestfish Are these SELinux booleans documented or enumerated anywhere?
From the offending (F13) system [root@Cimbaoth ~]# getsebool -a | grep qemu_transition allow_unconfined_qemu_transition --> on [root@Cimbaoth ~]# ls -Z `which guestfish` -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/guestfish [root@Cimbaoth ~]# I have poked at many of the virtualization-related booleans in an attempt to make this go away. As expected, disabling SELinux does make the symptom disappear, but that is an approach I would prefer not to take.
John, turn the transition off. # setsebool -P allow_unconfined_qemu_transition 0
Miroslav add userdom_stream_connect(qemu_t) Since qemu_t is a confinement of userspace this should be allowed.
Fixed in selinux-policy-3.7.19-77.fc13
Very nice, thank you
Thanks for fixing this. Any idea about where I can get a list of SELinux booleans and what they do?
selinux-policy-3.7.19-77.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-77.fc13
# semanage boolean -l Or system-config-selinux
selinux-policy-3.7.19-77.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-77.fc13
selinux-policy-3.7.19-80.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-80.fc13
selinux-policy-3.7.19-80.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.