Description of problem: Got the following error when running vm with spice display on vdsm host: libvirtError: internal error process exited while connecting to monitor: ((null):3330): Spice-Warning **: reds.c:3167:reds_init_ssl: Could not load certificates from /etc/pki/vdsm/libvirt-spice/server-cert.pem qemu-kvm: failed to initialize spice server also see the following message in audit.log: type=AVC msg=audit(1356504472.725:5193): avc: denied { open } for pid=12286 comm="qemu-kvm" path="/etc/pki/vdsm/libvirt-spice/server-cert.pem" dev="dm-0" ino=132076 scontext=system_u:system_r:svirt_t:s0:c149,c218 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file And it's verified that the following TE rule can fix the problem: grep qemu-kvm /var/log/audit/audit.log |audit2allow #============= svirt_t ============== allow svirt_t cert_t:file { read getattr open }; But this problem doesn't happen on fedora 17. The cert file has the same selinux file context and it doesn't have an explicit allow rule for that in the policy. I don't know what cause the break. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.11.1-67.fc18.noarch (problematic version) selinux-policy-targeted-3.10.0-161.fc17.noarch (no problem with this version) How reproducible: always Steps to Reproduce: Actually it also can be reproduced when running vm via libvirt: 1. configure the vm using spice as display 2. enable tls in qemu.conf by uncommenting the following two lines: spice_tls = 1 spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" 3. configure tls cert for spice. Actually, you can just create a fake cert file server-cert.pem under /etc/pki/libvirt-spice and make sure it's accessible by qemu. 4. Start vm and then you can see the avc denied message in audit.log Actual results: Expected results: Additional info:
No problem found when manually running qemu-kvm command with the same spice options on fedora18. So probably the problem is related to svirt.
Fixed in selinux-policy-targeted-3.11.1-68.fc18.noarch
selinux-policy-3.11.1-69.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-69.fc18
Package selinux-policy-3.11.1-69.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-69.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-0147/selinux-policy-3.11.1-69.fc18 then log in and leave karma (feedback).
Could you please give a little bit explanation about why we don't need the rule to allow svirt_t access cert_t on fedora17? Thank you very much!
Mark, we are tightening up the security on svirt_t. We eliminated auth_use_nsswitch(svirt_t) since it was too loose, and this caused the bug you are seeing.
Daniel, Got it. Many thanks!
selinux-policy-3.11.1-71.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-71.fc18
selinux-policy-3.11.1-71.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.