Hide Forgot
Description of problem: I cannot reproduce this on standard RHEL 6.1, but I have a reliable report that it happens in RHEV-M 3.0 (beta?) libguestfs fails when SELinux is enforcing (but works when SELinux is permissive or disabled). The error message from qemu is: connect(unix:/tmp/libguestfsUQHOQD/sock): Permission denied chardev: opening backend "socket" failed Version-Release number of selected component (if applicable): libguestfs 1.7.17-17.el6 qemu 0.12.1-2.160.el6 kernel 2.6.32-131.0.15 How reproducible: ? Additional info: I have asked Michal Fojtik who observed this error to follow up with more details.
Adding Alan to CC.
What does # getsebool allow_unconfined_qemu_transition I believe the following command will fix the issue # setsebool -P allow_unconfined_qemu_transition 0
Set needinfo of mfojtik ...
Yes, I can confirm that setting the bool variable above fix this problem. Thanks!
This IS a bug. Normal operation of libguestfs should not involve having to set SELinux booleans.
Miroslav, lets pull the transition code totally out like we have in F16. If you want to run confined virtual machines you need to run svirt_t launched by libvirt otherwise you should stay in unconfined_t.
Fixed in selinux-policy-3.7.19-107.el6
Well I need to 'reopen' this bug once again. I recently got the same error with the boolean enabled. I didn't upgrade/update anything on my system. Components: [root@mfojtik-2 ~]# getsebool allow_unconfined_qemu_transition allow_unconfined_qemu_transition --> off [root@mfojtik-2 ~]# getenforce Permissive Relevant part of the vdsm.log: Thread-194852::DEBUG::2011-08-12 11:40:39,126::utils::573::Storage.Misc.excCmd::(execCmd) FAILED: <err> = 'find: failed to restore initial working directory: Permission denied\nconnect(unix:/tmp/libguestfssNcPZC/sock): Permission denied\nchardev: opening backend "socket" failed\n/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject:61: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6\n sys.stderr.write(\'fileinject: [general error in inject_file]: %s\\n\' % e.message)\nfileinject: [general error in inject_file]: child process died unexpectedly\nfileinject: path not exists: /\nfileinject: [unexpected error]: Traceback (most recent call last):\n File "/usr/libexec/vdsm/hooks/before_vm_start/50_fileinject", line 93, in <module>\n sys.exit(2)\nSystemExit: 2\n\n'; <rc> = 2 Thread-194852::INFO::2011-08-12 11:40:39,126::hooks::51::root::(_runHooksDir) find: failed to restore initial working directory: Permission denied connect(unix:/tmp/libguestfssNcPZC/sock): Permission denied chardev: opening backend "socket" failed
If you had updated to the policy selinux-policy-3.7.19-107.el6 The boolean will not even exists.
I have asked Michal to open a different bug, since this appears to be happening for some other reason and needs investigation.
*** Bug 730662 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html