Bug 987225 - SELinux prevents virt-sandbox QEMU session from starting due to kernel label
Summary: SELinux prevents virt-sandbox QEMU session from starting due to kernel label
Keywords:
Status: CLOSED DUPLICATE of bug 903593
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt-sandbox
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Berrangé
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-23 03:00 UTC by Dimitris
Modified: 2013-12-16 19:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-16 19:08:35 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dimitris 2013-07-23 03:00:22 UTC 
Description of problem:

$ virt-sandbox -c qemu:///session /bin/date
Unable to start sandbox: Failed to create domain: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/boot/vmlinuz-3.9.9-302.fc19.x86_64': Operation not permitted
$ ls -Z /boot/vmlinuz-3.9.9-302.fc19.x86_64
-rwxr-xr-x. root root system_u:object_r:boot_t:s0      /boot/vmlinuz-3.9.9-302.fc19.x86_64

Version-Release number of selected component (if applicable):

Name        : libvirt-sandbox
Arch        : x86_64
Version     : 0.2.0
Release     : 1.fc19

Name        : selinux-policy-targeted
Arch        : noarch
Version     : 3.12.1
Release     : 65.fc19

Name        : libvirt
Arch        : x86_64
Version     : 1.0.5.2
Release     : 1.fc19

How reproducible:

Always.

Steps to Reproduce:
Run the /bin/date example above.

Actual results:


Expected results:


Additional info:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Comment 1 Daniel Walsh 2013-07-24 22:22:00 UTC 
virt-sandbox should not be doing any SELinux stuff unless the user requests it, it should preferably run in the users context. (unconfined_t) or staff_t
Comment 2 Dimitris 2013-07-24 23:13:42 UTC 
That's where it's running:

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ virt-sandbox -c qemu:///session /bin/date
Unable to start sandbox: Failed to create domain: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/boot/vmlinuz-3.9.9-302.fc19.x86_64': Operation not permitted
Comment 3 Dimitris 2013-07-25 01:12:29 UTC 
Hang on, I had seen this and yet somehow managed to forget it while experimenting.

From http://fedoraproject.org/wiki/QA:Testcase_VirtSandbox_CommonSetup :

> Disable SELinux. This will be resolved in a future update

>  # setenforce 0 

Is that still applicable?  Setting to permissive does make this work.
Comment 4 Dimitris 2013-08-07 02:33:50 UTC 
BTW, this used to work when run as root, but no longer as of today:

$ sudo virt-sandbox -c qemu:///session /bin/date
Unable to start sandbox: Failed to create domain: Unable to read from monitor: Connection reset by peer


in the log:

Aug 06 19:22:41 gaspode libvirtd[2171]: Unable to read from monitor: Connection reset by peer
Aug 06 19:22:42 gaspode libvirtd[2171]: cannot lookup default selinux label for /tmp/libvirt-sandbox-initrd-hdJqwS
Comment 5 Dimitris 2013-08-07 16:42:33 UTC 
No changes with libvirt-1.0.5.5-1.fc19
Comment 6 Cole Robinson 2013-12-16 19:08:35 UTC 

*** This bug has been marked as a duplicate of bug 903593 ***
Note You need to log in before you can comment on or make changes to this bug.