Bug 987225 - SELinux prevents virt-sandbox QEMU session from starting due to kernel label
SELinux prevents virt-sandbox QEMU session from starting due to kernel label
Status: CLOSED DUPLICATE of bug 903593
Product: Fedora
Classification: Fedora
Component: libvirt-sandbox (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Berrange
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-22 23:00 EDT by Dimitris
Modified: 2013-12-16 14:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-16 14:08:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dimitris 2013-07-22 23:00:22 EDT
Description of problem:

$ virt-sandbox -c qemu:///session /bin/date
Unable to start sandbox: Failed to create domain: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/boot/vmlinuz-3.9.9-302.fc19.x86_64': Operation not permitted
$ ls -Z /boot/vmlinuz-3.9.9-302.fc19.x86_64
-rwxr-xr-x. root root system_u:object_r:boot_t:s0      /boot/vmlinuz-3.9.9-302.fc19.x86_64

Version-Release number of selected component (if applicable):

Name        : libvirt-sandbox
Arch        : x86_64
Version     : 0.2.0
Release     : 1.fc19

Name        : selinux-policy-targeted
Arch        : noarch
Version     : 3.12.1
Release     : 65.fc19

Name        : libvirt
Arch        : x86_64
Version     : 1.0.5.2
Release     : 1.fc19

How reproducible:

Always.

Steps to Reproduce:
Run the /bin/date example above.

Actual results:


Expected results:


Additional info:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Comment 1 Daniel Walsh 2013-07-24 18:22:00 EDT
virt-sandbox should not be doing any SELinux stuff unless the user requests it, it should preferably run in the users context. (unconfined_t) or staff_t
Comment 2 Dimitris 2013-07-24 19:13:42 EDT
That's where it's running:

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ virt-sandbox -c qemu:///session /bin/date
Unable to start sandbox: Failed to create domain: unable to set security context 'system_u:object_r:virt_content_t:s0' on '/boot/vmlinuz-3.9.9-302.fc19.x86_64': Operation not permitted
Comment 3 Dimitris 2013-07-24 21:12:29 EDT
Hang on, I had seen this and yet somehow managed to forget it while experimenting.

From http://fedoraproject.org/wiki/QA:Testcase_VirtSandbox_CommonSetup :

> Disable SELinux. This will be resolved in a future update

>  # setenforce 0 

Is that still applicable?  Setting to permissive does make this work.
Comment 4 Dimitris 2013-08-06 22:33:50 EDT
BTW, this used to work when run as root, but no longer as of today:

$ sudo virt-sandbox -c qemu:///session /bin/date
Unable to start sandbox: Failed to create domain: Unable to read from monitor: Connection reset by peer


in the log:

Aug 06 19:22:41 gaspode libvirtd[2171]: Unable to read from monitor: Connection reset by peer
Aug 06 19:22:42 gaspode libvirtd[2171]: cannot lookup default selinux label for /tmp/libvirt-sandbox-initrd-hdJqwS
Comment 5 Dimitris 2013-08-07 12:42:33 EDT
No changes with libvirt-1.0.5.5-1.fc19
Comment 6 Cole Robinson 2013-12-16 14:08:35 EST

*** This bug has been marked as a duplicate of bug 903593 ***

Note You need to log in before you can comment on or make changes to this bug.