Description of problem: tried to do basic test of guestfs-browser. It first didn't work as simple user, so i started it as root. Then this avc appeared, and i suspect that guestfs-browser is doing something weird. Additional info: libreport version: 2.0.18 kernel: 3.6.5-2.fc18.x86_64 description: :SELinux is preventing /usr/bin/qemu-kvm from 'connectto' accesses on the unix_stream_socket /tmp/libguestfsY0jFYI/console.sock. : :***** Plugin catchall (100. confidence) suggests *************************** : :If vous pensez que qemu-kvm devrait être autorisé à accéder connectto sur console.sock unix_stream_socket par défaut. :Then vous devriez rapporter ceci en tant qu'anomalie. :Vous pouvez générer un module de stratégie local pour autoriser cet accès. :Do :autoriser cet accès pour le moment en exécutant : :# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:svirt_t:s0:c437,c989 :Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 : 023 :Target Objects /tmp/libguestfsY0jFYI/console.sock [ : unix_stream_socket ] :Source qemu-kvm :Source Path /usr/bin/qemu-kvm :Port <Inconnu> :Host (removed) :Source RPM Packages qemu-system-x86-1.2.0-19.fc18.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.11.1-46.fc18.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.5-2.fc18.x86_64 #1 SMP Thu Nov : 1 00:39:17 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2012-11-02 10:45:14 CET :Last Seen 2012-11-02 10:45:14 CET :Local ID 3923b7ef-fc82-43a0-8b80-e656a7205d6f : :Raw Audit Messages :type=AVC msg=audit(1351849514.709:4241): avc: denied { connectto } for pid=12019 comm="qemu-kvm" path="/tmp/libguestfsY0jFYI/console.sock" scontext=system_u:system_r:svirt_t:s0:c437,c989 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket : : :type=SYSCALL msg=audit(1351849514.709:4241): arch=x86_64 syscall=connect success=no exit=EACCES a0=4 a1=7fff77bb29a0 a2=6e a3=22 items=0 ppid=1 pid=12019 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/bin/qemu-kvm subj=system_u:system_r:svirt_t:s0:c437,c989 key=(null) : :Hash: qemu-kvm,svirt_t,unconfined_t,unix_stream_socket,connectto : :audit2allow : :#============= svirt_t ============== :allow svirt_t unconfined_t:unix_stream_socket connectto; : :audit2allow -R : :#============= svirt_t ============== :allow svirt_t unconfined_t:unix_stream_socket connectto; :
Created attachment 637008 [details] File: type
Created attachment 637009 [details] File: hashmarkername
Which version of selinux-policy, libvirt is installed? We fixed something very similar to this a while back (bug 857453 or bug 853393). However yes in general, using libguestfs + libvirt + SELinux is problematic at the moment in F18. I'm working on fixing this.
Also, after updating libvirt, you'll need to kill *all* libvirtd processes running on your machine and do service libvirtd start.
$ rpm -q libvirt libvirt-0.10.2.1-2.fc18.x86_64 $ rpm -q selinux-policy-targeted selinux-policy-targeted-3.11.1-46.fc18.noarch and my laptop was freshly reboot, but I am not sure if I did upgrade related rpms after or not. I will rebot later and let you know.
I can reproduce this fairly easily now, but for some reason only on a newly installed F18 machine. It looks like an SELinux policy bug.
This looks like a virtual machine is trying to connect to a user domain over a unix stream socket?
The VM (qemu-kvm) is trying to connect to a socket which libguestfs creates. Here is the code from the libguestfs side of things: https://github.com/libguestfs/libguestfs/blob/master/src/launch-libvirt.c#L261 I'm not sure I understand the reference to "user domain".
*** This bug has been marked as a duplicate of bug 853393 ***