749172 – In Xen, xend cannot find disk image that exists

Bug 749172 - In Xen, xend cannot find disk image that exists

Summary: In Xen, xend cannot find disk image that exists

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	16
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	750535 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-26 12:03 UTC by John D. Ramsdell
Modified:	2016-03-27 14:32 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-14 02:00:12 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Output from ausearch -m avc -ts recent (25.22 KB, text/plain) 2011-10-31 12:34 UTC, Dave Miller	no flags	Details
Output of ausearch -m avc -ts recent run today (24.70 KB, text/plain) 2011-11-03 21:28 UTC, John D. Ramsdell	no flags	Details
Output of ausearch -m avc -ts recent run today (5.20 KB, text/plain) 2012-01-06 12:39 UTC, John D. Ramsdell	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Description John D. Ramsdell 2011-10-26 12:03:10 UTC

Description of problem:

I booted using "Linux with Xen 4.1 and Linux
3.1.0-0.rc8.git0.1.fc16.x86_64" and then in an attempt to create a
user domain virtual machine based on a local ISO image file, I started
virt-manager (Virtual Machine Manager 0.9.0).  After typing my
password, I noticed a little pop up that said something about some
program crashing, but I could not read the message before it
disappeared.  I then tried to create a new virtual machine called
couch, but when I tried to the finish the process, I received this
message:

Unable to complete install: 'POST operation failed: xend_post: error from xen daemon: (xend.err 'Error creating domain: Disk image does not exist: /var/lib/libvirt/images/couch.img')'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 44, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/create.py", line 1899, in do_install
    guest.start_install(False, meter=meter)
  File "/usr/lib/python2.7/site-packages/virtinst/Guest.py", line

When I navigate the this file's location as root, one finds that file.


Version-Release number of selected component (if applicable):

Xen 4.1.1


How reproducible:

Create a virtual machine with virt-machine

Steps to Reproduce:
1.  Click on create VM button
2.  Follow instructions
3.
  
Actual results:

See above output.

Expected results:

A running virtual machine

Additional info:

Comment 1 John D. Ramsdell 2011-10-26 20:19:40 UTC

I did not answer two of the canned questions correctly.  Let me try again.

How reproducible:

The problem occurs every time I try to create a virtual machine. 

Steps to Reproduce:
1.  Start virt-manager
2.  Click on create VM button
3.  Follow instructions for installing the OS from local install media

Finally, the evidence that image exists:

$ sudo ls -l /var/lib/libvirt/images/
[sudo] password for ramsdell: 
total 8388612
-rw-------. 1 root root 8589934592 Oct 18 07:19 couch.img
$

Comment 2 Michael Young 2011-10-26 21:19:31 UTC

My first guess is that selinux is getting in the way. You can stop selinux getting in the way by running setenforce 0 beforehand.
It is probably also worth making sure you have the latest selinux-policy-targeted package, as some libvirt/xen fixes went in relatively recently.

Comment 3 John D. Ramsdell 2011-10-27 15:24:24 UTC

(In reply to comment #2)
> My first guess is that selinux is getting in the way.

You first guess is correct.

> It is probably also worth making sure you have the latest
> selinux-policy-targeted package, as some libvirt/xen fixes went in relatively
> recently.

Yum update does attempt to update my selinux policy, but the update dies with an error concerning qemu-common.

--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:3.1.0-0.rc6.git0.3.fc16 will be erased
---> Package kernel-devel.x86_64 0:3.1.0-0.rc6.git0.3.fc16 will be erased
--> Finished Dependency Resolution
Error: Protected multilib versions: 2:qemu-common-0.15.1-1.fc16.x86_64 != 2:qemu-common-0.15.0-5.fc16.i686
$

Comment 4 John D. Ramsdell 2011-10-27 19:22:14 UTC

I performed the update after removing the offending package, put selinux back into enforcing mode, and rebooted into the new hypervisor and kernel.  An attempt to create a new virtual machine failed with the same error listed above, so the new policy that was installed does not fix this problem.

Comment 5 Michael Young 2011-10-28 21:05:05 UTC

The next thing to do is to work out what selinux is blocking. If you retest it (after setenforce 0) what does
ausearch -m avc -ts recent
say?

Comment 6 John D. Ramsdell 2011-10-28 21:57:31 UTC

(In reply to comment #5)
> The next thing to do is to work out what selinux is blocking. If you retest it
> (after setenforce 0) what does
> ausearch -m avc -ts recent
> say?

I cannot get to the machine on which I run Xen for a week.  I'll run ausearch as soon as I am able and get back to you.

Comment 7 Dave Miller 2011-10-29 15:28:10 UTC

Chiming in since I just ran into the same problem and the "setenforce 0" solution worked:

time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.176:370): arch=c000003e syscall=4 success=yes exit=0 a0=7f703002b850 a1=7f70517f6640 a2=7f70517f6640 a3=2d302e362d534f74 items=0 ppid=1 pid=19562 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xend" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1319900996.176:370): avc:  denied  { getattr } for  pid=19562 comm="xend" path="/home/dave/noBackup/ISOs/CentOS-6.0-x86_64-bin-DVD1.iso" dev=dm-2 ino=24248407 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=file
type=AVC msg=audit(1319900996.176:370): avc:  denied  { search } for  pid=19562 comm="xend" name="noBackup" dev=dm-2 ino=24248405 scontext=system_u:system_r:xend_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.176:369): arch=c000003e syscall=4 success=yes exit=0 a0=7f703002b7f0 a1=7f70517f6640 a2=7f70517f6640 a3=6d692e746e65696c items=0 ppid=1 pid=19562 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xend" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1319900996.176:369): avc:  denied  { getattr } for  pid=19562 comm="xend" path="/var/lib/libvirt/images/c6xclient.img" dev=dm-1 ino=262362 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1319900996.176:369): avc:  denied  { search } for  pid=19562 comm="xend" name="images" dev=dm-1 ino=268913 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.461:371): arch=c000003e syscall=2 success=yes exit=5 a0=5006a5 a1=2 a2=7fff6c61c817 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.461:371): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="tun" dev=devtmpfs ino=11463 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319900996.461:371): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="tun" dev=devtmpfs ino=11463 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.461:372): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=400454ca a2=7fff6c61c850 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.461:372): avc:  denied  { create } for  pid=19576 comm="qemu-dm" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=tun_socket
type=AVC msg=audit(1319900996.461:372): avc:  denied  { net_admin } for  pid=19576 comm="qemu-dm" capability=12  scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=capability
type=AVC msg=audit(1319900996.461:372): avc:  denied  { ioctl } for  pid=19576 comm="qemu-dm" path="/dev/net/tun" dev=devtmpfs ino=11463 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.463:373): arch=c000003e syscall=59 success=yes exit=0 a0=7fff6c61bb90 a1=7fff6c61b6f0 a2=7fff6c61cfd0 a3=7f83c4464a10 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.463:373): avc:  denied  { read open } for  pid=19628 comm="qemu-dm" name="bash" dev=dm-1 ino=1839179 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { execute } for  pid=19628 comm="qemu-dm" name="bash" dev=dm-1 ino=1839179 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { read } for  pid=19628 comm="qemu-dm" name="sh" dev=dm-1 ino=1836061 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { execute_no_trans } for  pid=19628 comm="qemu-dm" path="/etc/xen/scripts/qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { read open } for  pid=19628 comm="qemu-dm" name="qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1319900996.463:373): avc:  denied  { execute } for  pid=19628 comm="qemu-dm" name="qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.524:374): arch=c000003e syscall=2 success=yes exit=3 a0=3fdbf7238f a1=0 a2=1b6 a3=2000 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.524:374): avc:  denied  { open } for  pid=19628 comm="qemu-ifup" name="meminfo" dev=proc ino=4026532208 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1319900996.524:374): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="meminfo" dev=proc ino=4026532208 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.524:375): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff35574ff0 a2=7fff35574ff0 a3=2000 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.524:375): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/proc/meminfo" dev=proc ino=4026532208 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.525:376): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff35577328 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.525:376): avc:  denied  { ioctl } for  pid=19628 comm="qemu-ifup" path="/etc/xen/scripts/qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.525:377): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fff355772d0 a2=7fff355772d0 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.525:377): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/etc/xen/scripts/qemu-ifup" dev=dm-1 ino=2498484 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.526:378): arch=c000003e syscall=4 success=yes exit=0 a0=10542a0 a1=7fff35576d40 a2=7fff35576d40 a3=8 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.526:378): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="virbr0" dev=sysfs ino=18937 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.527:379): arch=c000003e syscall=4 success=yes exit=0 a0=10547d0 a1=7fff35577010 a2=7fff35577010 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.527:379): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/sbin/ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.527:380): arch=c000003e syscall=21 success=yes exit=0 a0=10547d0 a1=1 a2=0 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.527:380): avc:  denied  { execute } for  pid=19628 comm="qemu-ifup" name="ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.527:381): arch=c000003e syscall=21 success=yes exit=0 a0=10547d0 a1=4 a2=0 a3=0 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.527:381): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.528:382): arch=c000003e syscall=59 success=yes exit=0 a0=10547d0 a1=1052f30 a2=10557c0 a3=8 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.528:382): avc:  denied  { execute_no_trans } for  pid=19655 comm="qemu-ifup" path="/sbin/ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.528:382): avc:  denied  { open } for  pid=19655 comm="qemu-ifup" name="ifconfig" dev=dm-1 ino=2232334 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.529:383): arch=c000003e syscall=21 success=yes exit=0 a0=40d33e a1=4 a2=0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.529:383): avc:  denied  { read } for  pid=19655 comm="ifconfig" name="unix" dev=proc ino=4026532181 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.529:384): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=2 a2=0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.529:384): avc:  denied  { create } for  pid=19655 comm="ifconfig" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=unix_dgram_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.529:385): arch=c000003e syscall=41 success=yes exit=4 a0=2 a1=2 a2=0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.529:385): avc:  denied  { create } for  pid=19655 comm="ifconfig" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=udp_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.530:386): arch=c000003e syscall=21 success=no exit=-2 a0=40c3b8 a1=4 a2=2 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.530:386): avc:  denied  { search } for  pid=19655 comm="ifconfig" name="net" dev=proc ino=11501 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.530:387): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=8916 a2=7fff1d2a0fe0 a3=0 items=0 ppid=19628 pid=19655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.530:387): avc:  denied  { ioctl } for  pid=19655 comm="ifconfig" path="socket:[220704]" dev=sockfs ino=220704 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=udp_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.532:388): arch=c000003e syscall=4 success=yes exit=0 a0=10548f0 a1=7fff35576e40 a2=7fff35576e40 a3=3fdbe85a00 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.532:388): avc:  denied  { getattr } for  pid=19628 comm="qemu-ifup" path="/usr/sbin/brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.533:389): arch=c000003e syscall=21 success=yes exit=0 a0=10548f0 a1=1 a2=0 a3=3fdbe85a00 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.533:389): avc:  denied  { execute } for  pid=19628 comm="qemu-ifup" name="brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.533:390): arch=c000003e syscall=21 success=yes exit=0 a0=10548f0 a1=4 a2=0 a3=3fdbe85a00 items=0 ppid=19576 pid=19628 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ifup" exe="/bin/bash" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.533:390): avc:  denied  { read } for  pid=19628 comm="qemu-ifup" name="brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.534:391): arch=c000003e syscall=59 success=yes exit=0 a0=10548f0 a1=1055090 a2=10557c0 a3=8 items=0 ppid=19628 pid=19662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.534:391): avc:  denied  { execute_no_trans } for  pid=19662 comm="qemu-ifup" path="/usr/sbin/brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
type=AVC msg=audit(1319900996.534:391): avc:  denied  { open } for  pid=19662 comm="qemu-ifup" name="brctl" dev=dm-1 ino=1718962 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:brctl_exec_t:s0 tclass=file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.535:392): arch=c000003e syscall=16 success=yes exit=0 a0=4 a1=8933 a2=7fff4b795270 a3=ffffffffffffff6b items=0 ppid=19628 pid=19662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.535:392): avc:  denied  { ioctl } for  pid=19662 comm="brctl" path="socket:[220710]" dev=sockfs ino=220710 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=unix_dgram_socket
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.552:394): arch=c000003e syscall=2 success=yes exit=10 a0=18551f0 a1=2 a2=1a4 a3=8 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.552:394): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="c6xclient.img" dev=dm-1 ino=262362 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1319900996.552:394): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="c6xclient.img" dev=dm-1 ino=262362 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1319900996.552:394): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="images" dev=dm-1 ino=268913 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_image_t:s0 tclass=dir
type=AVC msg=audit(1319900996.552:394): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="libvirt" dev=dm-1 ino=3156957 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.554:395): arch=c000003e syscall=2 success=yes exit=11 a0=1855f60 a1=0 a2=1a4 a3=2d534f746e65432f items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.554:395): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="CentOS-6.0-x86_64-bin-DVD1.iso" dev=dm-2 ino=24248407 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=file
type=AVC msg=audit(1319900996.554:395): avc:  denied  { read } for  pid=19576 comm="qemu-dm" name="CentOS-6.0-x86_64-bin-DVD1.iso" dev=dm-2 ino=24248407 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=file
type=AVC msg=audit(1319900996.554:395): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="noBackup" dev=dm-2 ino=24248405 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1319900996.554:395): avc:  denied  { search } for  pid=19576 comm="qemu-dm" name="dave" dev=dm-2 ino=24248321 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.555:396): arch=c000003e syscall=2 success=yes exit=12 a0=3fdbf7328d a1=2 a2=0 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.555:396): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="ptmx" dev=devtmpfs ino=1127 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=AVC msg=audit(1319900996.555:396): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="ptmx" dev=devtmpfs ino=1127 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:397): arch=c000003e syscall=137 success=yes exit=0 a0=3fdbf721c0 a1=7fff6c61b770 a2=c a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:397): avc:  denied  { getattr } for  pid=19576 comm="qemu-dm" name="/" dev=devpts ino=1 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:398): arch=c000003e syscall=16 success=yes exit=0 a0=c a1=5401 a2=7fff6c61a5f8 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:398): avc:  denied  { ioctl } for  pid=19576 comm="qemu-dm" path="/dev/ptmx" dev=devtmpfs ino=1127 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:399): arch=c000003e syscall=4 success=yes exit=0 a0=7fff6c61a6f0 a1=7fff6c61b6f0 a2=7fff6c61b6f0 a3=0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:399): avc:  denied  { getattr } for  pid=19576 comm="qemu-dm" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:400): arch=c000003e syscall=2 success=yes exit=13 a0=7fff6c61b830 a1=102 a2=ff6 a3=7fff6c619fc0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:400): avc:  denied  { open } for  pid=19576 comm="qemu-dm" name="4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1319900996.556:400): avc:  denied  { read write } for  pid=19576 comm="qemu-dm" name="4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.556:401): arch=c000003e syscall=16 success=yes exit=0 a0=d a1=5401 a2=7fff6c61c838 a3=7fff6c619fc0 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.556:401): avc:  denied  { ioctl } for  pid=19576 comm="qemu-dm" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
----
time->Sat Oct 29 09:09:56 2011
type=SYSCALL msg=audit(1319900996.557:402): arch=c000003e syscall=149 success=yes exit=0 a0=1859000 a1=1000 a2=1859000 a3=1 items=0 ppid=1202 pid=19576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319900996.557:402): avc:  denied  { ipc_lock } for  pid=19576 comm="qemu-dm" capability=14  scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=capability
----
time->Sat Oct 29 09:10:09 2011
type=SYSCALL msg=audit(1319901009.932:404): arch=c000003e syscall=62 success=yes exit=0 a0=4c78 a1=c a2=ab98e0 a3=0 items=0 ppid=1202 pid=20047 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319901009.932:404): avc:  denied  { signal } for  pid=20047 comm="qemu-dm" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=process
----
time->Sat Oct 29 09:10:20 2011
type=SYSCALL msg=audit(1319901020.195:405): arch=c000003e syscall=62 success=yes exit=0 a0=4c78 a1=c a2=ab98e0 a3=f5e8f800 items=0 ppid=1202 pid=20047 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1319901020.195:405): avc:  denied  { signal } for  pid=20047 comm="qemu-dm" scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=process

Looks like there are actually several different issues with SELinux.

Comment 8 Michael Young 2011-10-29 20:39:41 UTC

This probably needs some tweaks at the selinux end. Reassigning to selinux-policy-targeted package.

Comment 9 Miroslav Grepl 2011-10-31 09:44:08 UTC

Dave,
could you attach these AVC msgs as attachment for better analysis. Looks like qemu_dm_t needs some fixes.

Comment 10 Dave Miller 2011-10-31 12:34:03 UTC

Created attachment 530966 [details]
Output from ausearch -m avc -ts recent

This just a grab of what I had previously posted.  It will be this evening before I get a chance to re-create the problem.

Comment 11 Miroslav Grepl 2011-11-01 14:48:40 UTC

*** Bug 750535 has been marked as a duplicate of this bug. ***

Comment 12 John D. Ramsdell 2011-11-03 21:28:55 UTC

Created attachment 531663 [details]
Output of ausearch -m avc -ts recent run today

What happens when I try to make a VM called couch.

Comment 13 Konrad Rzeszutek Wilk 2011-11-03 23:15:26 UTC

Seeing it too. I can attach an output when using LVs instead of files to install F16 under F16. Is there a temporary workaround (well, except disabling SELinux?)

Comment 14 vvs 2011-11-23 13:35:42 UTC

I must add, that the same problem exist for openstack-nova too. SELinux policy blocks xend access to /var/lib/nova/instances.

Comment 15 Miroslav Grepl 2012-01-02 08:51:10 UTC

Could you try to execute

# chcon -t bin_t /usr/lib/xen/bin/qemu-dm 

and re-test it. Thank you.

Comment 16 Adrian Busolini 2012-01-02 17:05:59 UTC

Note that I worked around the issue of storage directory permissions and installation media directory permissions by executing the following (replacing /foo/bar) for each directory:

# semanage fcontext -a -t xen_image_t "/foo/bar(/.*)?"
# restorecon -R -v /domu

I tried the fix, but setenforce=0 is still the only way I can get things working. Prior to running the chcon fix:

time->Mon Jan  2 16:54:14 2012
type=SYSCALL msg=audit(1325523254.512:983): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=400454ca a2=7fff4c8909f0 a3=0 items=0 ppid=1183 pid=1643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1325523254.512:983): avc:  denied  { create } for  pid=1643 comm="qemu-dm" scontext=system_u:system_r:xend_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=tun_socket
----
time->Mon Jan  2 16:54:14 2012
type=SYSCALL msg=audit(1325523254.511:982): arch=c000003e syscall=160 success=no exit=-1 a0=8 a1=7fff4c890eb0 a2=7fff4c891160 a3=3867bb0d0c items=0 ppid=1183 pid=1643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1325523254.511:982): avc:  denied  { sys_resource } for  pid=1643 comm="qemu-dm" capability=24  scontext=system_u:system_r:xend_t:s0 tcontext=system_u:system_r:xend_t:s0 tclass=capability

Post running the chcon fix:

----
time->Mon Jan  2 16:55:04 2012
type=SYSCALL msg=audit(1325523304.789:985): arch=c000003e syscall=2 success=no exit=-13 a0=500625 a1=2 a2=7fff905577f8 a3=0 items=0 ppid=1183 pid=2581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1325523304.789:985): avc:  denied  { read write } for  pid=2581 comm="qemu-dm" name="tun" dev=devtmpfs ino=9504 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file

Comment 17 John D. Ramsdell 2012-01-05 13:48:02 UTC

(In reply to comment #15)
> Could you try to execute
> 
> # chcon -t bin_t /usr/lib/xen/bin/qemu-dm 
> 
> and re-test it. Thank you.

I retested before running your command to see if recent policy updates changed anything, but they did not.  I ran your command, and found it had no effect.

John

Comment 18 Miroslav Grepl 2012-01-06 12:05:49 UTC

I did not add any changes to a new policy. 

Not sure what you mean "no effect". I believe you needed to get different AVC msgs.

Comment 19 John D. Ramsdell 2012-01-06 12:39:21 UTC

Created attachment 551140 [details]
Output of ausearch -m avc -ts recent run today

Comment 20 John D. Ramsdell 2012-01-06 12:41:00 UTC

Opps.  I forgot the testing procedure.  I just added as an attachment the result of running ausearch after running your chcon and setenforce 0.

Comment 21 Fedora End Of Life 2013-02-14 02:00:26 UTC

Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.