Description of problem: $ virt-sandbox -c qemu:///session /bin/date Unable to start sandbox: Failed to create domain: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/boot/vmlinuz-3.9.9-302.fc19.x86_64': Operation not permitted $ ls -Z /boot/vmlinuz-3.9.9-302.fc19.x86_64 -rwxr-xr-x. root root system_u:object_r:boot_t:s0 /boot/vmlinuz-3.9.9-302.fc19.x86_64 Version-Release number of selected component (if applicable): Name : libvirt-sandbox Arch : x86_64 Version : 0.2.0 Release : 1.fc19 Name : selinux-policy-targeted Arch : noarch Version : 3.12.1 Release : 65.fc19 Name : libvirt Arch : x86_64 Version : 1.0.5.2 Release : 1.fc19 How reproducible: Always. Steps to Reproduce: Run the /bin/date example above. Actual results: Expected results: Additional info: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
virt-sandbox should not be doing any SELinux stuff unless the user requests it, it should preferably run in the users context. (unconfined_t) or staff_t
That's where it's running: $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ virt-sandbox -c qemu:///session /bin/date Unable to start sandbox: Failed to create domain: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/boot/vmlinuz-3.9.9-302.fc19.x86_64': Operation not permitted
Hang on, I had seen this and yet somehow managed to forget it while experimenting. From http://fedoraproject.org/wiki/QA:Testcase_VirtSandbox_CommonSetup : > Disable SELinux. This will be resolved in a future update > # setenforce 0 Is that still applicable? Setting to permissive does make this work.
BTW, this used to work when run as root, but no longer as of today: $ sudo virt-sandbox -c qemu:///session /bin/date Unable to start sandbox: Failed to create domain: Unable to read from monitor: Connection reset by peer in the log: Aug 06 19:22:41 gaspode libvirtd[2171]: Unable to read from monitor: Connection reset by peer Aug 06 19:22:42 gaspode libvirtd[2171]: cannot lookup default selinux label for /tmp/libvirt-sandbox-initrd-hdJqwS
No changes with libvirt-1.0.5.5-1.fc19
*** This bug has been marked as a duplicate of bug 903593 ***