Bug 828335 - qemu requires rawip socket access which is blocked by SELinux
Summary: qemu requires rawip socket access which is blocked by SELinux
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 17
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-04 16:06 UTC by Dirk Hohndel
Modified: 2013-01-09 12:02 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-11 11:49:45 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
VM config file (2.86 KB, text/xml)
2012-06-04 16:06 UTC, Dirk Hohndel 		no flags Details
network config file (319 bytes, text/plain)
2012-06-04 16:08 UTC, Dirk Hohndel 		no flags Details
View All

Description Dirk Hohndel 2012-06-04 16:06:17 UTC 
Created attachment 589198 [details]
VM config file

Description of problem:

After importing a working VM from a previous installation (opensuse) into Fedora 17, running this VM from virt-manager with an SELinux error. Closer analysis shows that SELinux is rejecting rawip socket access - this happens at least once a second, basically freezing the system and preventing the VM from working 

Version-Release number of selected component (if applicable):

qemu-kvm-1.0-17.fc17.x86_64

How reproducible:

Happens every time I start the vm

Steps to Reproduce:
1. open virt-manager
2. start VM
3. observe errors
  
Actual results:

type=AVC msg=audit(1338425056.093:180): avc:  denied  { create } for  pid=1792 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c828,c902 tcontext=system_u:system_r:svirt_t:s0:c828,c902 tclass=rawip_socket

I get one of these messages about every second in the /var/log/audit/audit.log file

Expected results:

a working VM

Additional info:

here's the command line used (according to the qemu log file)

LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin /usr/bin/qemu-kvm -S -M pc-0.14 -cpu core2duo,+lahf_lm,+rdtscp,+aes,+popcnt,+x2apic,+sse4.2,+sse4.1,+xtpr,
+cx16,+tm2,+est,+vmx,+ds_cpl,+pbe,+tm,+ht,+ss,+acpi,+ds -enable-kvm -m 1280 -smp 2,sockets=2,cores=1,threads=1 -name ITVM -uuid c6c00f22-3c8b-f2b5-eb96-facd1facaefa -node
fconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/ITVM.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localt
ime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/dev/sda8,if=none,id=drive-ide0-0-0,format=raw -device ide-drive,bus=ide.0,unit=0,drive=
drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev user,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:e7:2a:94,bus=pci.0,addr=0x3 -chardev pty,id=ch
arserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -vga std -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device 
hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
Comment 1 Dirk Hohndel 2012-06-04 16:08:12 UTC 
Created attachment 589199 [details]
network config file
Comment 2 Paolo Bonzini 2012-09-11 10:20:32 UTC 
You're actually not using the libvirt network; you're using usermode (slirp) networking.

As a workaround, or perhaps a fix, please switch from usermode to tap networking.  It will also be much faster, and virt-manager will configure everything for you.
Note You need to log in before you can comment on or make changes to this bug.