Bug 824551 - After the libvirt packages installation, KVM images do not start with SELinux enforcing.
After the libvirt packages installation, KVM images do not start with SELinux...
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.1
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kletzander
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-23 13:57 EDT by Saulo Pedro
Modified: 2013-01-25 07:34 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-08 14:04:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Saulo Pedro 2012-05-23 13:57:18 EDT
Description of problem:

After the installation of libvirt packages, KVM images do not start with SELinux enforcing.

It seems the installation leaves some files mislabeled

/etc/init.d/libvirtd should be in virtd_initrc_exec_t, it is in rpm_script_t
/usr/sbin/libvirtd should be in virtd_exec_t, it is in bin_t

recovering these labels with restorecon resolves this problem.

Version-Release number of selected component (if applicable):

libvirt-0.8.7-18.el6_1.4.x86_64
libvirt-client-0.8.7-18.el6_1.4.x86_64
libvirt-python-0.8.7-18.el6_1.4.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install the packages
2. Set SELinux to enforcing
3. Start a KVM image (I tried with virt-manager)
  
Actual results:

Error starting domain: unable to set security context 'system_u:object_r:svirt_image_t:s0:c610,c686'
on '/var/lib/libvirt/images/Technical_Operations-Windows_XP.raw': Permission denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 44, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1050, in startup
    self._backend.create()
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 511, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c610,c686'
on '/var/lib/libvirt/images/Technical_Operations-Windows_XP.raw': Permission denied


 ausearch -m avc -ts recent
----
time->Wed Apr 25 18:17:00 2012
type=SYSCALL msg=audit(1335392220.167:51422): arch=c000003e syscall=188 success=no exit=-13 a0=7fd8e400cab0 a1=34a4e162d9
a2=7fd8e800a2f0 a3=2d items=0 ppid=1 pid=3172 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:initrc_t:s0
key=(null)
type=AVC msg=audit(1335392220.167:51422): avc:  denied  { relabelto } for  pid=3172 comm="libvirtd"
name="Technical_Operations-Windows_XP.raw" dev=dm-1 ino=269090 scontext=system_u:system_r:initrc_t:s0


Expected results:

No SELinux alerts.

Additional info:
Comment 2 dyuan 2012-05-24 02:17:54 EDT
I cann't reproduce it with libvirt-0.9.10-20.el6 & selinux-policy-3.7.19-153.el6 and libvirt-0.8.7-18.el6_1.4 & selinux-policy-3.7.19-126.el6.

Can you provide your selinux-policy version or try it with the latest version ?
Comment 3 Saulo Pedro 2012-05-24 08:31:01 EDT
The SELinux policicy is selinux-policy-3.7.19-93.el6
Comment 5 Dave Allan 2012-07-18 11:36:18 EDT
(In reply to comment #2)
> I cann't reproduce it with libvirt-0.9.10-20.el6 &
> selinux-policy-3.7.19-153.el6 and libvirt-0.8.7-18.el6_1.4 &
> selinux-policy-3.7.19-126.el6.
> 
> Can you provide your selinux-policy version or try it with the latest
> version ?

Saulo, this behavior isn't reproducible for us, do you see it on a freshly installed system?
Comment 6 Dave Allan 2012-08-08 14:04:29 EDT
Since we can't reproduce this behavior and we don't have any further information about what's going on, I'm closing, but please feel free to reopen if the information becomes available.

Note You need to log in before you can comment on or make changes to this bug.