Description of problem: Ran: virt-sandbox -v -c qemu:///session /bin/date Also got a similar error trying to read mounts.cfg SELinux is preventing /usr/bin/qemu-system-x86_64 from 'getattr' accesses on the file /home/crobinso/.cache/libvirt-sandbox/sandbox/config/mounts.cfg. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that qemu-system-x86_64 should be allowed getattr access on the mounts.cfg file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pool /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:svirt_t:s0:c273,c815 Target Context unconfined_u:object_r:cache_home_t:s0 Target Objects /home/crobinso/.cache/libvirt- sandbox/sandbox/config/mounts.cfg [ file ] Source pool Source Path /usr/bin/qemu-system-x86_64 Port <Unknown> Host (removed) Source RPM Packages qemu-system-x86-1.4.2-4.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-54.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.9.8-300.fc19.x86_64 #1 SMP Thu Jun 27 19:24:23 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-07-02 12:18:40 EDT Last Seen 2013-07-02 12:18:40 EDT Local ID 031693a5-f85b-4477-a6de-47290444d426 Raw Audit Messages type=AVC msg=audit(1372781920.443:708): avc: denied { getattr } for pid=9006 comm="pool" path="/home/crobinso/.cache/libvirt-sandbox/sandbox/config/mounts.cfg" dev="sda2" ino=3670953 scontext=unconfined_u:system_r:svirt_t:s0:c273,c815 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file type=SYSCALL msg=audit(1372781920.443:708): arch=x86_64 syscall=lstat success=yes exit=0 a0=7ffdd67f1de0 a1=7ffdd67f3ef0 a2=7ffdd67f3ef0 a3=c items=0 ppid=1 pid=9006 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 ses=2 tty=(none) comm=pool exe=/usr/bin/qemu-system-x86_64 subj=unconfined_u:system_r:svirt_t:s0:c273,c815 key=(null) Hash: pool,svirt_t,cache_home_t,file,getattr Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.8-300.fc19.x86_64 type: libreport
I think we need libvirt-sandbox to launch qemu guests with some label other then svirt_t. svirt_t really will only work well with full qemu guest os on an image, not on a pss through file system. That being said we should probaly label ~/.cache/libvirt-sandbox with something like virt_home_t.
1c18f0e8996586f98eefef5b6314bd16a1c116a1 adds labeling for ~/.cache/libvirt-sandbox as virt_home_t. Which would solve this avc. sesearch -A -s svirt_t -t virt_home_t -c file Found 1 semantic av rules: allow virt_domain virt_home_t : file { ioctl getattr lock append open } ;
*** This bug has been marked as a duplicate of bug 1000813 ***