Bug 729365 - qemu should be allowed to connect to libguestfs socket
Summary: qemu should be allowed to connect to libguestfs socket
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-09 17:13 UTC by Richard W.M. Jones
Modified: 2012-10-16 12:15 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-107.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:12:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Richard W.M. Jones 2011-08-09 17:13:27 UTC
Description of problem:

I cannot reproduce this on standard RHEL 6.1, but I have a
reliable report that it happens in RHEV-M 3.0 (beta?)

libguestfs fails when SELinux is enforcing (but works when
SELinux is permissive or disabled).  The error message from
qemu is:

  connect(unix:/tmp/libguestfsUQHOQD/sock): Permission denied
  chardev: opening backend "socket" failed

Version-Release number of selected component (if applicable):

libguestfs 1.7.17-17.el6
qemu 0.12.1-2.160.el6
kernel 2.6.32-131.0.15

How reproducible:

?

Additional info:

I have asked Michal Fojtik who observed this error to follow
up with more details.

Comment 2 Richard W.M. Jones 2011-08-09 19:01:53 UTC
Adding Alan to CC.

Comment 3 Miroslav Grepl 2011-08-10 06:56:03 UTC
What does

# getsebool allow_unconfined_qemu_transition


I believe the following command will fix the issue

# setsebool -P allow_unconfined_qemu_transition 0

Comment 4 Richard W.M. Jones 2011-08-10 09:44:54 UTC
Set needinfo of mfojtik ...

Comment 5 Michal Fojtik 2011-08-10 11:46:52 UTC
Yes, I can confirm that setting the bool variable above fix this problem. Thanks!

Comment 6 Richard W.M. Jones 2011-08-10 11:56:09 UTC
This IS a bug.  Normal operation of libguestfs should
not involve having to set SELinux booleans.

Comment 7 Daniel Walsh 2011-08-10 16:06:55 UTC
Miroslav, lets pull the transition code totally out like we have in F16.  If you want to run confined virtual machines you need to run svirt_t launched by libvirt otherwise you should stay in unconfined_t.

Comment 8 Miroslav Grepl 2011-08-10 16:28:21 UTC
Fixed in selinux-policy-3.7.19-107.el6

Comment 9 Michal Fojtik 2011-08-12 09:56:52 UTC
Well I need to 'reopen' this bug once again. I recently got the same error with the boolean enabled. I didn't upgrade/update anything on my system.

Components:

[root@mfojtik-2 ~]# getsebool allow_unconfined_qemu_transition
allow_unconfined_qemu_transition --> off

[root@mfojtik-2 ~]# getenforce 
Permissive


Relevant part of the vdsm.log:

Thread-194852::DEBUG::2011-08-12 11:40:39,126::utils::573::Storage.Misc.excCmd::(execCmd) FAILED: <err> = 'find: failed to restore initial working directory: Permission denied\nconnect(unix:/tmp/libguestfssNcPZC/sock): Permission denied\nchardev: opening backend "socket" failed\n/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject:61: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6\n  sys.stderr.write(\'fileinject: [general error in inject_file]: %s\\n\' % e.message)\nfileinject: [general error in inject_file]: child process died unexpectedly\nfileinject: path not exists: /\nfileinject: [unexpected error]: Traceback (most recent call last):\n  File "/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject", line 93, in <module>\n    sys.exit(2)\nSystemExit: 2\n\n'; <rc> = 2
Thread-194852::INFO::2011-08-12 11:40:39,126::hooks::51::root::(_runHooksDir) find: failed to restore initial working directory: Permission denied
connect(unix:/tmp/libguestfssNcPZC/sock): Permission denied
chardev: opening backend "socket" failed

Comment 10 Daniel Walsh 2011-08-12 10:44:53 UTC
If you had updated to the policy
selinux-policy-3.7.19-107.el6

The boolean will not even exists.

Comment 11 Richard W.M. Jones 2011-08-12 11:42:33 UTC
I have asked Michal to open a different bug, since this
appears to be happening for some other reason and needs
investigation.

Comment 13 Miroslav Grepl 2011-08-22 08:52:23 UTC
*** Bug 730662 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2011-12-06 10:12:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.