Hide Forgot
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.3-2.fc16.x86_64 reason: SELinux is preventing /usr/libexec/libvirt_lxc from 'create' accesses on the None selinux. time: Sat 18 Feb 2012 11:33:50 PM CET description: :SELinux is preventing /usr/libexec/libvirt_lxc from 'create' accesses on the None selinux. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that libvirt_lxc should be allowed create access on the selinux <Unknown> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep libvirt_lxc /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 :Target Context system_u:object_r:root_t:s0 :Target Objects selinux [ None ] :Source libvirt_lxc :Source Path /usr/libexec/libvirt_lxc :Port <Unknown> :Host (removed) :Source RPM Packages libvirt-0.9.6-4.fc16.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-75.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux hc595 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 : 20:08:08 UTC 2012 x86_64 x86_64 :Alert Count 4 :First Seen Sat 18 Feb 2012 07:49:15 AM CET :Last Seen Sat 18 Feb 2012 08:07:31 AM CET :Local ID 347b6563-9e9f-4d37-8e70-62a0a5d0c698 : :Raw Audit Messages :type=AVC msg=audit(1329548851.26:1011): avc: denied { create } for pid=11224 comm="libvirt_lxc" name="selinux" scontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dirnode=hc595 type=SYSCALL msg=audit(1329548851.026:1011): arch=c000003e syscall=83 success=no exit=-13 a0=13f2bc0 a1=1ff a2=0 a3=9 items=0 ppid=0 pid=11224 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirt_lxc" exe="/usr/libexec/libvirt_lxc" subj=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 key=(null) : : :Hash: libvirt_lxc,virtd_lxc_t,root_t,None,create : :audit2allow : : :audit2allow -R : :
Miroslav, I think for F16 we need to make virtd_lxc_t unconfined. since we do not have this stuff working well yet. Not sure why it is creating content in a directory labeled root_t? running.sun do you have directories other then / labeled root_t? ls -lZ /
(In reply to comment #1) > Miroslav, I think for F16 we need to make virtd_lxc_t unconfined. since we do > not have this stuff working well yet. Not sure why it is creating content in a > directory labeled root_t? > > running.sun do you have directories other then / labeled root_t? > > ls -lZ / [root@hc595 /]# ls -lZ / dr-xr-xr-x. root root system_u:object_r:bin_t:s0 bin dr-xr-xr-x. root root system_u:object_r:boot_t:s0 boot drwxr-xr-x. root root system_u:object_r:device_t:s0 dev drwxr-xr-x. root root system_u:object_r:etc_t:s0 etc drwxr-xr-x. root root system_u:object_r:home_root_t:s0 home dr-xr-xr-x. root root system_u:object_r:lib_t:s0 lib dr-xr-xr-x. root root system_u:object_r:lib_t:s0 lib64 drwx------. root root system_u:object_r:lost_found_t:s0 lost+found drwxr-xr-x. root root system_u:object_r:mnt_t:s0 media drwxr-xr-x. root root system_u:object_r:mnt_t:s0 mnt drwxr-xr-x. root root system_u:object_r:usr_t:s0 opt dr-xr-xr-x. root root system_u:object_r:proc_t:s0 proc dr-xr-x---. root root system_u:object_r:admin_home_t:s0 root drwxr-xr-x. root root system_u:object_r:var_run_t:s0 run dr-xr-xr-x. root root system_u:object_r:bin_t:s0 sbin drwxr-xr-x. root root system_u:object_r:var_t:s0 srv drwxr-xr-x. root root system_u:object_r:sysfs_t:s0 sys drwxrwxrwt. root root system_u:object_r:tmp_t:s0 tmp drwxr-xr-x. root root system_u:object_r:usr_t:s0 usr drwxr-xr-x. root root system_u:object_r:var_t:s0 var [root@hc595 /]# [root@hc595 /]# cat /etc/fstab # # /etc/fstab # Created by anaconda on Sat Feb 4 20:30:41 2012 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # UUID=b4d4ed56-da46-474a-b691-0c01c070c7ff / ext4 defaults 1 1 UUID=56c5ef46-bb68-4d07-8623-c4180eed3ae2 /boot ext4 defaults 1 2 UUID=581ab10b-806f-4449-a4e9-227f148a1244 /home ext4 defaults 1 2 UUID=72c06520-9a0a-44f3-aec4-553562fe4d60 swap swap defaults 0 0 (...)
commit 1b807b1f50e9f384b2227a5d0e28109b03eaadc5 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 21 08:40:32 2012 +0000 Make virtd_lxc_t as unconfined domain
i should have added that running the suggested commands grep libvirt_lxc /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp doesnt change anything.
$ rpm -Uvh http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/91.fc17/noarch/selinux-policy-3.10.0-91.fc17.noarch.rpm http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/91.fc17/noarch/selinux-policy-targeted-3.10.0-91.fc17.noarch.rpm will install the latest policy. Then it should work.
installed http://kojipkgs.fedoraproject.org/packages/selinux-policy/3.10.0/76.fc16/noarch/ since im on fc16. The mkdir /selinux error definitely went away. I still cant interact with the containers in any way but lets leave this to another day, thanks everyone
selinux-policy-3.10.0-78.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-78.fc16
Package selinux-policy-3.10.0-78.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-78.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-78.fc16 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-80.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.