SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the directory /home/adam/.pulse. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that qemu-kvm should be allowed write access on the .pulse directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c359,c831 Target Context unconfined_u:object_r:pulseaudio_home_t:s0 Target Objects /home/adam/.pulse [ dir ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host (removed) Source RPM Packages qemu-system-x86-0.13.0-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.13-92.fc14.x86_64 #1 SMP Sat May 21 17:26:25 UTC 2011 x86_64 x86_64 Alert Count 12 First Seen Mon 20 Jun 2011 13:26:21 BST Last Seen Mon 20 Jun 2011 13:26:22 BST Local ID c05c3ce3-2d89-4117-a5ce-0d7404abb070 Raw Audit Messages type=AVC msg=audit(1308572782.852:50395): avc: denied { write } for pid=4447 comm="qemu-kvm" name=".pulse" dev=dm-7 ino=39583780 scontext=system_u:system_r:svirt_t:s0:c359,c831 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=dir type=SYSCALL msg=audit(1308572782.852:50395): arch=x86_64 syscall=symlink success=no exit=EACCES a0=296e180 a1=296e220 a2=2 a3=1 items=0 ppid=1 pid=4447 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c359,c831 key=(null) Hash: qemu-kvm,svirt_t,pulseaudio_home_t,dir,write audit2allow #============= svirt_t ============== #!!!! The source type 'svirt_t' can write to a 'dir' of the following types: # var_run_t, virt_cache_t, qemu_var_run_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, var_t, svirt_image_t, svirt_tmpfs_t, dosfs_t allow svirt_t pulseaudio_home_t:dir write; audit2allow -R #============= svirt_t ============== #!!!! The source type 'svirt_t' can write to a 'dir' of the following types: # var_run_t, virt_cache_t, qemu_var_run_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, var_t, svirt_image_t, svirt_tmpfs_t, dosfs_t allow svirt_t pulseaudio_home_t:dir write;
This has come up because I needed on various occasions to have sound in the VM, so I altered the libvirt configuration to run as my local user. It may be that you don't want to support this by default, but I thought I'd report it to give you the chance to decide. See: http://fedoraproject.org/wiki/Reporting_virtualization_bugs#Audio_output
Well this would allow a confined virtual machine to write content within the homedir. If you put the machine or svirt_t in to permissive mode, what other AVC's do you see?
I guess we could add a boolean for this.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Sound just works with spice and pulseaudio in f15/f16, so this is fixed in currentrelease. Closing since f14 is EOL