This didn't used to happen with F16, and since it's an lnk_file issue I'm betting it's due to the directory rearrangement. "virsh console [anything]" causes: ---- type=AVC msg=audit(11/28/2012 01:58:04.878:1021) : avc: denied { read } for pid=1060 comm=libvirtd name=lock dev="dm-1" ino=393491 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file ---- type=AVC msg=audit(11/28/2012 01:58:04.878:1022) : avc: denied { read } for pid=1060 comm=libvirtd name=lock dev="dm-1" ino=393491 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file ---- type=AVC msg=audit(11/28/2012 01:58:04.879:1023) : avc: denied { read } for pid=1060 comm=libvirtd name=lock dev="dm-1" ino=393491 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file Which is problematic, since I need to do a special reboot of one of my VMs. :) -Robin
Whoops, sorry, that's not the complete list, here you go: ---- type=AVC msg=audit(11/28/2012 02:06:19.725:1627) : avc: denied { read } for pid=1060 comm=libvirtd name=lock dev="dm-1" ino=393491 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file ---- type=AVC msg=audit(11/28/2012 02:06:19.725:1628) : avc: denied { write open } for pid=1060 comm=libvirtd path=/run/lock/LCK.._pts_4 dev="tmpfs" ino=24068 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(11/28/2012 02:06:19.725:1628) : avc: denied { create } for pid=1060 comm=libvirtd name=LCK.._pts_4 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(11/28/2012 02:06:19.725:1628) : avc: denied { add_name } for pid=1060 comm=libvirtd name=LCK.._pts_4 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(11/28/2012 02:06:19.725:1628) : avc: denied { write } for pid=1060 comm=libvirtd name=lock dev="tmpfs" ino=1210 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir ---- type=AVC msg=audit(11/28/2012 02:06:21.105:1669) : avc: denied { unlink } for pid=1054 comm=libvirtd name=LCK.._pts_4 dev="tmpfs" ino=24068 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(11/28/2012 02:06:21.105:1669) : avc: denied { remove_name } for pid=1054 comm=libvirtd name=LCK.._pts_4 dev="tmpfs" ino=24068 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(11/28/2012 02:06:21.105:1669) : avc: denied { write } for pid=1054 comm=libvirtd name=lock dev="tmpfs" ino=1210 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir Note that I *just* ran a restorecon -R -F / (for unrelated reasons: relabel onboot doesn't seem to work because / is still read-only, and that was part of the upgrade to F17), so if it's a mislabelling it's not a simple one. -Robin
In Fedora this would create a virt_lock_t. sesearch -T -s virtd_t -t var_lock_t Found 3 semantic te rules: type_transition virtd_t var_lock_t : file virt_lock_t; type_transition virtd_t var_lock_t : dir virt_lock_t; type_transition virtd_t var_lock_t : lnk_file virt_lock_t;
Daniel: I may be misunderstanding where you're going there, but it sounds like you're saying this wouldn't happen on Fedora, but this *is* Fedora (F17) that I'm running, so apparently not? -Robin
Added to F17. commit 4a71e28c2ca65d396052533580a7aec8c9edc260 Author: Miroslav Grepl <mgrepl> Date: Thu Nov 29 07:45:25 2012 +0100 Backport virt_lock_t from F18
:D Thanks! -Robin
selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17
It needs a file context specification though
Package selinux-policy-3.10.0-165.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-166.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.