Bug 828335 - qemu requires rawip socket access which is blocked by SELinux
qemu requires rawip socket access which is blocked by SELinux
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Fedora Virtualization Maintainers
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-06-04 12:06 EDT by Dirk Hohndel
Modified: 2013-01-09 07:02 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-11 07:49:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
VM config file (2.86 KB, text/xml)
2012-06-04 12:06 EDT, Dirk Hohndel
no flags Details
network config file (319 bytes, text/plain)
2012-06-04 12:08 EDT, Dirk Hohndel
no flags Details

  None (edit)
Description Dirk Hohndel 2012-06-04 12:06:17 EDT
Created attachment 589198 [details]
VM config file

Description of problem:

After importing a working VM from a previous installation (opensuse) into Fedora 17, running this VM from virt-manager with an SELinux error. Closer analysis shows that SELinux is rejecting rawip socket access - this happens at least once a second, basically freezing the system and preventing the VM from working 

Version-Release number of selected component (if applicable):


How reproducible:

Happens every time I start the vm

Steps to Reproduce:
1. open virt-manager
2. start VM
3. observe errors
Actual results:

type=AVC msg=audit(1338425056.093:180): avc:  denied  { create } for  pid=1792 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c828,c902 tcontext=system_u:system_r:svirt_t:s0:c828,c902 tclass=rawip_socket

I get one of these messages about every second in the /var/log/audit/audit.log file

Expected results:

a working VM

Additional info:

here's the command line used (according to the qemu log file)

LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin /usr/bin/qemu-kvm -S -M pc-0.14 -cpu core2duo,+lahf_lm,+rdtscp,+aes,+popcnt,+x2apic,+sse4.2,+sse4.1,+xtpr,
+cx16,+tm2,+est,+vmx,+ds_cpl,+pbe,+tm,+ht,+ss,+acpi,+ds -enable-kvm -m 1280 -smp 2,sockets=2,cores=1,threads=1 -name ITVM -uuid c6c00f22-3c8b-f2b5-eb96-facd1facaefa -node
fconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/ITVM.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localt
ime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/dev/sda8,if=none,id=drive-ide0-0-0,format=raw -device ide-drive,bus=ide.0,unit=0,drive=
drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev user,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:e7:2a:94,bus=pci.0,addr=0x3 -chardev pty,id=ch
arserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -vnc -vga std -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device 
hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
Comment 1 Dirk Hohndel 2012-06-04 12:08:12 EDT
Created attachment 589199 [details]
network config file
Comment 2 Paolo Bonzini 2012-09-11 06:20:32 EDT
You're actually not using the libvirt network; you're using usermode (slirp) networking.

As a workaround, or perhaps a fix, please switch from usermode to tap networking.  It will also be much faster, and virt-manager will configure everything for you.

Note You need to log in before you can comment on or make changes to this bug.