750535 – SElinux prevents installation of Xen PV domU with virt-install or virt-manager

Bug 750535 - SElinux prevents installation of Xen PV domU with virt-install or virt-manager

Summary: SElinux prevents installation of Xen PV domU with virt-install or virt-manager

Keywords:
Status:	CLOSED DUPLICATE of bug 749172
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-01 14:20 UTC by Pasi Karkkainen
Modified:	2011-11-01 14:48 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-01 14:48:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pasi Karkkainen 2011-11-01 14:20:36 UTC

Description of problem:

Installing Xen guests using virt-install or virt-manager fails when SElinux is enabled. After disabling SElinux (setenforce 0) installation of VMs works OK.

I'm using LVM volumes as disk backends for the Xen domUs.

Version-Release number of selected component (if applicable):
xen-hypervisor-4.1.2-1.fc16.x86_64
xen-runtime-4.1.2-1.fc16.x86_64
xen-libs-4.1.2-1.fc16.x86_64
xen-4.1.2-1.fc16.x86_64
xen-licenses-4.1.2-1.fc16.x86_64
selinux-policy-3.10.0-51.fc16.noarch
selinux-policy-targeted-3.10.0-51.fc16.noarch
libvirt-client-0.9.6-2.fc16.x86_64
libvirt-0.9.6-2.fc16.x86_64
libvirt-python-0.9.6-2.fc16.x86_64
python-virtinst-0.600.0-5.fc16.noarch
virt-manager-common-0.9.0-7.fc16.noarch
virt-manager-0.9.0-7.fc16.noarch


How reproducible:
Always.

Steps to Reproduce:
1. Install Fedora 16 Xen dom0 host.
2. Leave SElinux enabled/enforcing (the default setting).
3. Try to install Xen PV domU with LVM volume as a disk backend, using virt-install or with virt-manager.
  
Actual results:
Installations fails due to SElinux denial.

Expected results:
Installation works.

Additional info:

# virt-install -d -n f16foo -r 1024 --vcpus=2 -f /dev/vg_f16/f16foo --vnc -p -l "http://web.server.tld/fedora/mount-f16-final-rc2-x64/"

...
Tue, 01 Nov 2011 14:25:57 DEBUG    Removing /var/lib/xen/virtinst-vmlinuz.uQRLnY
Tue, 01 Nov 2011 14:25:57 DEBUG    Removing /var/lib/xen/virtinst-initrd.img.eNjEEF
Tue, 01 Nov 2011 14:25:57 ERROR    Domain not found: xenUnifiedDomainLookupByName
Tue, 01 Nov 2011 14:25:57 DEBUG    Traceback (most recent call last):
  File "/usr/bin/virt-install", line 620, in start_install
    noboot=options.noreboot)
  File "/usr/lib/python2.7/site-packages/virtinst/Guest.py", line 1223, in start_install
    noboot)
  File "/usr/lib/python2.7/site-packages/virtinst/Guest.py", line 1291, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 2077, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: Domain not found: xenUnifiedDomainLookupByName
Tue, 01 Nov 2011 14:25:57 DEBUG    Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect xen:/// start f16foo
otherwise, please restart your installation.
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect xen:/// start f16foo
otherwise, please restart your installation.

SElinux audit.log entries for the virt-install session:

type=AVC msg=audit(1320150357.535:99): avc:  denied  { read write } for  pid=5217 comm="qemu-dm" name="ptmx" dev=devtmpfs ino=1121 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1320150357.535:99): arch=c000003e syscall=2 success=no exit=-13 a0=7f6bf76ea28d a1=2 a2=0 a3=7fff70b6eb30 items=0 ppid=1148 pid=5217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1320150357.731:100): dev=vif6.0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1320150357.731:100): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=89a2 a2=7fff378e8b90 a3=7fff378e88f0 items=0 ppid=5272 pid=5316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:brctl_t:s0-s0:c0.c1023 key=(null)


Selinux audit.log entries when installing Xen PV domU with virt-manager:

type=AVC msg=audit(1320149721.769:94): avc:  denied  { read write } for  pid=3342 comm="qemu-dm" name="ptmx" dev=devtmpfs ino=1121 scontext=system_u:system_r:qemu_dm_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1320149721.769:94): arch=c000003e syscall=2 success=no exit=-13 a0=7f50cc82a28d a1=2 a2=0 a3=7fff4a5ea6a0 items=0 ppid=1148 pid=3342 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:qemu_dm_t:s0 key=(null)
type=AVC msg=audit(1320149721.770:95): avc:  denied  { sigkill } for  pid=3343 comm="xend" scontext=system_u:system_r:xend_t:s0 tcontext=system_u:system_r:qemu_dm_t:s0 tclass=process
type=SYSCALL msg=audit(1320149721.770:95): arch=c000003e syscall=62 success=no exit=-13 a0=d0e a1=9 a2=0 a3=7f3dd4ff86b0 items=0 ppid=1 pid=3343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xend" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1320149722.060:96): dev=vif4.0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1320149722.060:96): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=89a2 a2=7fff7b2a6180 a3=7fff7b2a5ee0 items=0 ppid=3437 pid=3470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:brctl_t:s0-s0:c0.c1023 key=(null)


virt-manager errors:

Unable to complete install: 'Domain not found: xenUnifiedDomainLookupByName'
Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 44, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/create.py", line 1899, in do_install
    guest.start_install(False, meter=meter)
  File "/usr/lib/python2.7/site-packages/virtinst/Guest.py", line 1223, in start_install
    noboot)
  File "/usr/lib/python2.7/site-packages/virtinst/Guest.py", line 1291, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 2077, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: Domain not found: xenUnifiedDomainLookupByName


Running "setenforce 0" fixes the problem.

Comment 1 Michael Young 2011-11-01 14:34:00 UTC

Reassigning to selinux-policy-targeted . This may be the same issue as Bug 749172 .

Comment 2 Miroslav Grepl 2011-11-01 14:48:40 UTC


*** This bug has been marked as a duplicate of bug 749172 ***

Note You need to log in before you can comment on or make changes to this bug.