SELinux is preventing /usr/bin/qemu-kvm from 'write' accesses on the dossier /home/misc/.libvirt/qemu/lib. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /home/misc/.libvirt/qemu/lib default label should be virt_home_t. Then you can run restorecon. Do # /sbin/restorecon -v /home/misc/.libvirt/qemu/lib ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that qemu-kvm should be allowed write access on the lib directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c370,c638 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/misc/.libvirt/qemu/lib [ dir ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Inconnu> Host (removed) Source RPM Packages qemu-system-x86-0.14.0-7.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-39.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen mar. 27 sept. 2011 10:04:46 CEST Last Seen mar. 27 sept. 2011 10:04:46 CEST Local ID d901bdb1-4d27-4507-8021-97f20a53c4e2 Raw Audit Messages type=AVC msg=audit(1317110686.336:134): avc: denied { write } for pid=11767 comm="qemu-kvm" name="lib" dev=dm-3 ino=3801899 scontext=system_u:system_r:svirt_t:s0:c370,c638 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=SYSCALL msg=audit(1317110686.336:134): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7fff3524b300 a2=6e a3=6273632f62696c2f items=0 ppid=1 pid=11767 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c370,c638 key=(null) Hash: qemu-kvm,svirt_t,user_home_t,dir,write audit2allow #============= svirt_t ============== #!!!! The source type 'svirt_t' can write to a 'dir' of the following types: # qemu_var_run_t, var_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, virt_cache_t, var_run_t, svirt_image_t, svirt_tmpfs_t, dosfs_t allow svirt_t user_home_t:dir write; audit2allow -R #============= svirt_t ============== #!!!! The source type 'svirt_t' can write to a 'dir' of the following types: # qemu_var_run_t, var_t, tmp_t, svirt_tmp_t, tmpfs_t, hugetlbfs_t, virt_cache_t, var_run_t, svirt_image_t, svirt_tmpfs_t, dosfs_t allow svirt_t user_home_t:dir write;
to trigger the error, just run as a user : $ virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks the iso should not matter much. Sealert tell me to restore context, which I do, but the error is still here. And the installation do not work. ~ $ ls -lZ ~/.libvirt/qemu/ drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 cache drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 dump drwxrwxr-x. misc misc unconfined_u:object_r:virt_home_t:s0 lib drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 log drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 run drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 save drwxrwxr-x. misc misc unconfined_u:object_r:user_home_t:s0 snapshot
Seems kvm-qemu wants to create or delete some object in ~/.libvirt/qemu/lib but SELinux policy currently does not support that. Could you test and reproduce this in permissive mode and enclose all the AVC denials from /var/log/audit/audit.log that occurred since the test? This will give us an idea as to what kind of objects it is trying to create or delete, plus we will be able to determine what else it needs for this to work (and if it works at all) But first restore the context of the whole ~/.libvirt directory ( restorecon -R -v ~/.libvirt )
AFAIK, we had the same issue on RHEL6. Looking for a bug.
Created attachment 525878 [details] Qemu avc log Here is the log.
Actually we know where the problem is. We have a fix in RHEL6 but we need to investigate it in Fedora. The problem is libvirt is running as unconfined_t in this case which is expected. Michael, if you run # runcon -r system_r -t initrc_t -- runcon -t virtd_t -- virt-install --name csb_6 --ram 1024 --cdrom ~/RHEL6-CSB_x86_64.iso --nodisks this should work.
https://bugzilla.redhat.com/show_bug.cgi?id=676372
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
F15 is end of life real soon, so closing as WONTFIX. If anyone can still reproduce with a Fedora 16 or Fedora 17, please reopen.