latest F19 policy update killed qemu ?

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/16/2013 08:37 PM, Dmitry S. Makovey wrote:
> On 12/16/2013 06:17 PM, Dmitry S. Makovey wrote:
>> Hi everybody,
>> 
>> today, right after update my machine refuses to start any of the VMs it 
>> was happily running just a minute ago.
>> 
>> Some details:
>> 
>> $ rpm -qa | grep selinux-policy 
>> selinux-policy-targeted-3.12.1-74.15.fc19.noarch 
>> selinux-policy-devel-3.12.1-74.15.fc19.noarch 
>> selinux-policy-3.12.1-74.15.fc19.noarch
>> 
>> # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow
>> 
>> 
>> #============= svirt_t ============== allow svirt_t virt_image_t:file
>> read;
>> 
>> # ls -laZ /var/lib/libvirt/images/ drwx--x--x. qemu qemu
>> system_u:object_r:virt_image_t:s0 . drwxr-xr-x. root root
>> system_u:object_r:virt_var_lib_t:s0 .. -rw-r--r--. qemu qemu
>> system_u:object_r:virt_image_t:s0 devstack-f.qcow2 ...
>> 
>> in other words - I see no reason why this should fail, what did I miss?
>> 
>> Should I head over to bugzilla and report?
>> 
> 
> after some tinkering I've applied svirt_image_t to /var/lib/libvirt/images
> and everything is functioning, however "restorecon -RF
> /var/lib/libvirt/images" brings everything back to virt_image_t , hmm?
> 
libvirt is supposed to change the label of a virt_image_t to
svirt_image_t:MCSLABEL  when the virtual machine is running, and then change
it back to virt_image_t when the VM is finished.  Running VMs can only
read/write svirt_image_t.  The problem is you should not be running restorecon
on this directory.

svirt_image_t is supposed to be in a type that restorecon will not change.

If you stop and restart the VM everything should be labeled correctly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKwZswACgkQrlYvE4MpobOZNwCeN7ZA2MD69X0J7Ml12FxFRo+i
VRkAnAzhHEbbAmmECwNOcQ1e9KoHonQD
=TXnI
-----END PGP SIGNATURE-----