RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 824551 - After the libvirt packages installation, KVM images do not start with SELinux enforcing.
Summary: After the libvirt packages installation, KVM images do not start with SELinux...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.1
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kletzander
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-23 17:57 UTC by Saulo Pedro
Modified: 2013-01-25 12:34 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-08 18:04:29 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Saulo Pedro 2012-05-23 17:57:18 UTC
Description of problem:

After the installation of libvirt packages, KVM images do not start with SELinux enforcing.

It seems the installation leaves some files mislabeled

/etc/init.d/libvirtd should be in virtd_initrc_exec_t, it is in rpm_script_t
/usr/sbin/libvirtd should be in virtd_exec_t, it is in bin_t

recovering these labels with restorecon resolves this problem.

Version-Release number of selected component (if applicable):

libvirt-0.8.7-18.el6_1.4.x86_64
libvirt-client-0.8.7-18.el6_1.4.x86_64
libvirt-python-0.8.7-18.el6_1.4.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install the packages
2. Set SELinux to enforcing
3. Start a KVM image (I tried with virt-manager)
  
Actual results:

Error starting domain: unable to set security context 'system_u:object_r:svirt_image_t:s0:c610,c686'
on '/var/lib/libvirt/images/Technical_Operations-Windows_XP.raw': Permission denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 44, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1050, in startup
    self._backend.create()
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 511, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c610,c686'
on '/var/lib/libvirt/images/Technical_Operations-Windows_XP.raw': Permission denied


 ausearch -m avc -ts recent
----
time->Wed Apr 25 18:17:00 2012
type=SYSCALL msg=audit(1335392220.167:51422): arch=c000003e syscall=188 success=no exit=-13 a0=7fd8e400cab0 a1=34a4e162d9
a2=7fd8e800a2f0 a3=2d items=0 ppid=1 pid=3172 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:initrc_t:s0
key=(null)
type=AVC msg=audit(1335392220.167:51422): avc:  denied  { relabelto } for  pid=3172 comm="libvirtd"
name="Technical_Operations-Windows_XP.raw" dev=dm-1 ino=269090 scontext=system_u:system_r:initrc_t:s0


Expected results:

No SELinux alerts.

Additional info:

Comment 2 dyuan 2012-05-24 06:17:54 UTC
I cann't reproduce it with libvirt-0.9.10-20.el6 & selinux-policy-3.7.19-153.el6 and libvirt-0.8.7-18.el6_1.4 & selinux-policy-3.7.19-126.el6.

Can you provide your selinux-policy version or try it with the latest version ?

Comment 3 Saulo Pedro 2012-05-24 12:31:01 UTC
The SELinux policicy is selinux-policy-3.7.19-93.el6

Comment 5 Dave Allan 2012-07-18 15:36:18 UTC
(In reply to comment #2)
> I cann't reproduce it with libvirt-0.9.10-20.el6 &
> selinux-policy-3.7.19-153.el6 and libvirt-0.8.7-18.el6_1.4 &
> selinux-policy-3.7.19-126.el6.
> 
> Can you provide your selinux-policy version or try it with the latest
> version ?

Saulo, this behavior isn't reproducible for us, do you see it on a freshly installed system?

Comment 6 Dave Allan 2012-08-08 18:04:29 UTC
Since we can't reproduce this behavior and we don't have any further information about what's going on, I'm closing, but please feel free to reopen if the information becomes available.


Note You need to log in before you can comment on or make changes to this bug.