<div dir="ltr"><div><br><br><br>On Mon, Mar 24, 2014 at 11:23 AM, Juerg Haefliger <<a href="mailto:juergh@gmail.com">juergh@gmail.com</a>> wrote:<br>><br>><br>><br>><br>> On Sat, Mar 22, 2014 at 11:46 AM, Daniel J Walsh <<a href="mailto:dwalsh@redhat.com">dwalsh@redhat.com</a>> wrote:<br>
> ><br>> > -----BEGIN PGP SIGNED MESSAGE-----<br>> > Hash: SHA1<br>> ><br>> > On 03/21/2014 10:36 AM, Juerg Haefliger wrote:<br>> > > Hi,<br>> > ><br>> > > I started a VM using the official F20 cloud image, installed libvirt and<br>
> > > its dependencies and tried to create a guest but SELinux won't let me:<br>> > ><br>> > > [root@fedora-20 ~]# virsh create mini.xml error: Failed to create domain<br>> > > from mini.xml error: Input/output error<br>
> > ><br>> > > [root@fedora-20 ~]# journalctl | tail Mar 21 14:23:06 fedora-20 systemd[1]:<br>> > > SELinux policy denies access. Mar 21 14:23:06 fedora-20<br>> > > systemd-machined[7210]: Failed to start machine scope: Access denied Mar 21<br>
> > > 14:23:06 fedora-20 libvirtd[6856]: Input/output error<br>> > ><br>> > > [root@fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log 2014-03-21<br>> > > 14:23:06.740+0000: starting up LC_ALL=C<br>
> > > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=none<br>> > > /usr/bin/qemu-system-x86_64 -name mini -S -machine<br>> > > pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp<br>
> > > 1,sockets=1,cores=1,threads=1 -uuid 11111111-2890-2015-1f87-cbfa725b1dd3<br>> > > -nographic -no-user-config -nodefaults -chardev<br>> > > socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait<br>
> > > -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown<br>> > > -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device<br>> > > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 2014-03-21<br>
> > > 14:23:06.744+0000: shutting down<br>> > ><br>> > ><br>> > > type=VIRT_MACHINE_ID msg=audit(1395412399.728:281): pid=6856 uid=0<br>> > > auid=4294967295 ses=4294967295<br>
> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"<br>> > > uuid=11111111-2890-2015-1f87-cbfa725b1dd3<br>> > > vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986<br>
> > > img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986 model=selinux<br>> > > exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'<br>> > > type=VIRT_MACHINE_ID msg=audit(1395412399.728:282): pid=6856 uid=0<br>
> > > auid=4294967295 ses=4294967295<br>> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"<br>> > > uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107 img-ctx=107:107<br>
> > > model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?<br>> > > res=success' type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0<br>> > > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:<br>
> > > denied { start } for auid=-1 uid=-1 gid=-1<br>> > > scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0<br>> > > tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?<br>
> > > terminal=?' type=VIRT_RESOURCE msg=audit(1395412400.015:284): pid=6856<br>> > > uid=0 auid=4294967295 ses=4294967295<br>> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem<br>
> > > reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0<br>> > > new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?<br>> > > res=success' type=VIRT_RESOURCE msg=audit(1395412400.015:285): pid=6856<br>
> > > uid=0 auid=4294967295 ses=4294967295<br>> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=vcpu<br>> > > reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0<br>
> > > new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?<br>> > > res=success' type=VIRT_CONTROL msg=audit(1395412400.015:286): pid=6856<br>> > > uid=0 auid=4294967295 ses=4294967295<br>
> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start<br>> > > reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1<br>> > > exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'<br>
> > ><br>> > > I'm not overly familiar with SELinux. Is this a configuration issue? Am I<br>> > > missing some policy packages or could this be an issue with the cloud<br>> > > image?<br>
> > ><br>> > > Works fine when I disable SELinux.<br>> > ><br>> > > Google found this, but it's old and apparently resolved:<br>> > > <a href="https://bugzilla.redhat.com/show_bug.cgi?id=860235">https://bugzilla.redhat.com/show_bug.cgi?id=860235</a><br>
> > ><br>> > > Thanks ...Juerg<br>> > ><br>> > ><br>> > ><br>> > > _______________________________________________ cloud mailing list<br>> > > <a href="mailto:cloud@lists.fedoraproject.org">cloud@lists.fedoraproject.org</a><br>
> > > <a href="https://admin.fedoraproject.org/mailman/listinfo/cloud">https://admin.fedoraproject.org/mailman/listinfo/cloud</a> Fedora Code of<br>> > > Conduct: <a href="http://fedoraproject.org/code-of-conduct">http://fedoraproject.org/code-of-conduct</a><br>
> > ><br>> ><br>> > There is no SELinux data that you posted. I don't think your machine is<br>> > mislabeled. Doing the /.autorelabel dance is a waste of time.<br>> ><br>> > ausearch -m avc,user_avc -ts recent<br>
> ><br>> > After you have the problem, to see if SELinux posted any error messages.<br>> ><br>> > If there are no messages then try to turn off dontaudit rules.<br>> ><br>> > semodule -DB<br>
> > Run your test<br>> > ausearch -m avc,user_avc -ts recent<br>> ><br>><br>> This is all I get:<br>><br>> time->Mon Mar 24 10:21:18 2014<br>> type=USER_AVC msg=audit(1395656478.686:22577): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'<br>
<br><br></div>And all of 'ausearch -ts':<br><br>time->Mon Mar 24 10:26:21 2014<br>type=VIRT_MACHINE_ID msg=audit(1395656781.041:22605): pid=529 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=system_u:system_r:svirt_tcg_t:s0:c135,c495 img-ctx=system_u:object_r:svirt_image_t:s0:c135,c495 model=selinux exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'<br>
----<br>time->Mon Mar 24 10:26:21 2014<br>type=VIRT_MACHINE_ID msg=audit(1395656781.041:22606): pid=529 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'<br>
----<br>time->Mon Mar 24 10:26:21 2014<br>type=USER_AVC msg=audit(1395656781.044:22607): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'<br>
----<br>time->Mon Mar 24 10:26:21 2014<br>type=VIRT_RESOURCE msg=audit(1395656781.285:22608): pid=529 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0 new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'<br>
----<br>time->Mon Mar 24 10:26:21 2014<br>type=VIRT_RESOURCE msg=audit(1395656781.285:22609): pid=529 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=vcpu reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0 new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'<br>
----<br>time->Mon Mar 24 10:26:21 2014<br>type=VIRT_CONTROL msg=audit(1395656781.286:22610): pid=529 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'<br>
<br><div><br>><br>> <br>><br>> > And look for messages about virt.<br>> ><br>> > This will turn dontaudit rules back on.<br>> > semodule -B<br>> ><br>> ><br>> > -----BEGIN PGP SIGNATURE-----<br>
> > Version: GnuPG v1<br>> > Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>> ><br>> > iEYEARECAAYFAlMtahAACgkQrlYvE4MpobPh4ACgymOncdUt6k7+Z5BwJObOmyLx<br>
> > hJUAn08Uow4Qh7KWL+Qg+F14ikr52ktE<br>> > =TMxx<br>> > -----END PGP SIGNATURE-----<br>> > _______________________________________________<br>> > cloud mailing list<br>> > <a href="mailto:cloud@lists.fedoraproject.org">cloud@lists.fedoraproject.org</a><br>
> > <a href="https://admin.fedoraproject.org/mailman/listinfo/cloud">https://admin.fedoraproject.org/mailman/listinfo/cloud</a><br>> > Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct">http://fedoraproject.org/code-of-conduct</a><br>
><br></div></div>