Description of problem: If you create a temporary directory under /tmp, eg. /tmp/foo, then set TMPDIR=/tmp/foo, qemu-kvm cannot start up. This is because /tmp/foo will have this label: unconfined_u:object_r:user_tmp_t:s0 and the current policy denies writes to this. (See AVCs at the end). qemu wants to create and access temporary files in $TMPDIR but cannot do so. This doesn't seem to make much sense -- qemu really ought to be able to write to user temporary directories. In addition the libguestfs test suite relies on setting $TMPDIR so that we can run the test suite in parallel without two runs disturbing each other. This bug prevents us from running the test suite with SELinux enforcing (it is actually the very last bug that stops us from doing so). Version-Release number of selected component (if applicable): selinux-policy-3.11.1-7.fc18.noarch qemu-1.2.0-3.fc18.x86_64 How reproducible: 100% Steps to Reproduce: 1. Run the test case in bug 859596. or: 1. Start up qemu as non-root with $TMPDIR set to a subdirectory of /tmp Additional info: AVCs from a couple of runs of qemu-kvm with SELinux set to Permissive: type=MAC_STATUS msg=audit(1348570108.116:17255): enforcing=0 old_enforcing=1 auid=1000 ses=355 type=SYSCALL msg=audit(1348570108.116:17255): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3699d000 a2=1 a3=7fff3699cd68 items=0 ppid=19997 pid=19998 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=355 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=USER_END msg=audit(1348570108.121:17256): pid=19997 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=AVC msg=audit(1348570139.187:17257): avc: denied { write } for pid=21024 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-nss9ny3ms2xirsqj.log" dev="dm-5" ino=1851174 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file type=SYSCALL msg=audit(1348570139.187:17257): arch=c000003e syscall=59 success=yes exit=0 a0=7f03040c36f0 a1=7f03040c3d70 a2=7f03040c4f50 a3=7f03248d8980 items=0 ppid=1 pid=21024 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 key=(null) type=AVC msg=audit(1348570139.254:17258): avc: denied { write } for pid=21024 comm="qemu-kvm" name="EcIMm_ulWi" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570139.254:17258): avc: denied { add_name } for pid=21024 comm="qemu-kvm" name="vl.FPUq37" scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570139.254:17258): avc: denied { create } for pid=21024 comm="qemu-kvm" name="vl.FPUq37" scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1348570139.254:17258): avc: denied { read write open } for pid=21024 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/EcIMm_ulWi/vl.FPUq37" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570139.254:17258): arch=c000003e syscall=2 success=yes exit=14 a0=7fff2df663a0 a1=c2 a2=180 a3=3b9f5f5f0a05 items=0 ppid=1 pid=21024 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 key=(null) type=AVC msg=audit(1348570139.266:17259): avc: denied { remove_name } for pid=21024 comm="qemu-kvm" name="vl.FPUq37" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570139.266:17259): avc: denied { unlink } for pid=21024 comm="qemu-kvm" name="vl.FPUq37" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570139.266:17259): arch=c000003e syscall=87 success=yes exit=0 a0=7fff2df663a0 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=21024 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 key=(null) type=AVC msg=audit(1348570140.452:17260): avc: denied { write } for pid=21040 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-q63bcuxolnjzvcuc.log" dev="dm-5" ino=1851175 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file type=SYSCALL msg=audit(1348570140.452:17260): arch=c000003e syscall=59 success=yes exit=0 a0=7f02f4001a90 a1=7f02f4002110 a2=7f02f4006f70 a3=7f03240d7980 items=0 ppid=1 pid=21040 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 key=(null) type=AVC msg=audit(1348570140.510:17261): avc: denied { write } for pid=21040 comm="qemu-kvm" name="EcIMm_ulWi" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570140.510:17261): avc: denied { add_name } for pid=21040 comm="qemu-kvm" name="vl.reDL2u" scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570140.510:17261): avc: denied { create } for pid=21040 comm="qemu-kvm" name="vl.reDL2u" scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1348570140.510:17261): avc: denied { read write open } for pid=21040 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/EcIMm_ulWi/vl.reDL2u" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570140.510:17261): arch=c000003e syscall=2 success=yes exit=14 a0=7fff90f2a180 a1=c2 a2=180 a3=3b9f739e678e items=0 ppid=1 pid=21040 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 key=(null) type=AVC msg=audit(1348570140.532:17262): avc: denied { remove_name } for pid=21040 comm="qemu-kvm" name="vl.reDL2u" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570140.532:17262): avc: denied { unlink } for pid=21040 comm="qemu-kvm" name="vl.reDL2u" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570140.532:17262): arch=c000003e syscall=87 success=yes exit=0 a0=7fff90f2a180 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=21040 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 key=(null) type=AVC msg=audit(1348570199.403:17263): avc: denied { write } for pid=22117 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-lcanus5i9qgd014i.log" dev="dm-5" ino=1851176 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file type=SYSCALL msg=audit(1348570199.403:17263): arch=c000003e syscall=59 success=yes exit=0 a0=7f94d80c9590 a1=7f94d80c9c10 a2=7f94d80c8c90 a3=7f94f7a10980 items=0 ppid=1 pid=22117 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 key=(null) type=AVC msg=audit(1348570199.465:17264): avc: denied { write } for pid=22117 comm="qemu-kvm" name="GUWMN9pzZM" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570199.465:17264): avc: denied { add_name } for pid=22117 comm="qemu-kvm" name="vl.4NpQ50" scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570199.465:17264): avc: denied { create } for pid=22117 comm="qemu-kvm" name="vl.4NpQ50" scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1348570199.465:17264): avc: denied { read write open } for pid=22117 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/GUWMN9pzZM/vl.4NpQ50" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570199.465:17264): arch=c000003e syscall=2 success=yes exit=14 a0=7fffa77e37d0 a1=c2 a2=180 a3=3ba033a9d5e9 items=0 ppid=1 pid=22117 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 key=(null) type=AVC msg=audit(1348570199.477:17265): avc: denied { remove_name } for pid=22117 comm="qemu-kvm" name="vl.4NpQ50" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570199.477:17265): avc: denied { unlink } for pid=22117 comm="qemu-kvm" name="vl.4NpQ50" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570199.477:17265): arch=c000003e syscall=87 success=yes exit=0 a0=7fffa77e37d0 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=22117 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 key=(null) type=AVC msg=audit(1348570200.638:17266): avc: denied { write } for pid=22133 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-5ltmwrucxh0gdl0u.log" dev="dm-5" ino=1851177 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file type=SYSCALL msg=audit(1348570200.638:17266): arch=c000003e syscall=59 success=yes exit=0 a0=7f94d4001da0 a1=7f94d4002420 a2=7f94d4006e40 a3=7f94f720f980 items=0 ppid=1 pid=22133 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 key=(null) type=AVC msg=audit(1348570200.698:17267): avc: denied { write } for pid=22133 comm="qemu-kvm" name="GUWMN9pzZM" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570200.698:17267): avc: denied { add_name } for pid=22133 comm="qemu-kvm" name="vl.GQBaWm" scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570200.698:17267): avc: denied { create } for pid=22133 comm="qemu-kvm" name="vl.GQBaWm" scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1348570200.698:17267): avc: denied { read write open } for pid=22133 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/GUWMN9pzZM/vl.GQBaWm" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570200.698:17267): arch=c000003e syscall=2 success=yes exit=14 a0=7fff602add30 a1=c2 a2=180 a3=3ba046e6f8d4 items=0 ppid=1 pid=22133 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 key=(null) type=AVC msg=audit(1348570200.710:17268): avc: denied { remove_name } for pid=22133 comm="qemu-kvm" name="vl.GQBaWm" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=AVC msg=audit(1348570200.710:17268): avc: denied { unlink } for pid=22133 comm="qemu-kvm" name="vl.GQBaWm" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1348570200.710:17268): arch=c000003e syscall=87 success=yes exit=0 a0=7fff602add30 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=22133 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 key=(null) type=USER_CMD msg=audit(1348570275.428:17269): pid=22180 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd="getenforce" terminal=pts/1 res=success' type=CRED_ACQ msg=audit(1348570275.431:17270): pid=22181 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1348570275.439:17271): pid=22181 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_END msg=audit(1348570275.450:17272): pid=22180 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_CMD msg=audit(1348570281.828:17273): pid=22182 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd=736574656E666F72636520456E666F7263696E67 terminal=pts/1 res=success' type=CRED_ACQ msg=audit(1348570281.832:17274): pid=22183 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1348570281.836:17275): pid=22183 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Fixed in selinux-policy-3.11.1-25.fc18.noarch You also have a mislabeled directory in your homedir. restorecon -R -v ~/.cache
selinux-policy-3.11.1-25.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-25.fc18
Package selinux-policy-3.11.1-25.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-25.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14807/selinux-policy-3.11.1-25.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-25.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.