latest F19 policy update killed qemu ?
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 17 14:59:24 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/16/2013 08:37 PM, Dmitry S. Makovey wrote:
> On 12/16/2013 06:17 PM, Dmitry S. Makovey wrote:
>> Hi everybody,
>>
>> today, right after update my machine refuses to start any of the VMs it
>> was happily running just a minute ago.
>>
>> Some details:
>>
>> $ rpm -qa | grep selinux-policy
>> selinux-policy-targeted-3.12.1-74.15.fc19.noarch
>> selinux-policy-devel-3.12.1-74.15.fc19.noarch
>> selinux-policy-3.12.1-74.15.fc19.noarch
>>
>> # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow
>>
>>
>> #============= svirt_t ============== allow svirt_t virt_image_t:file
>> read;
>>
>> # ls -laZ /var/lib/libvirt/images/ drwx--x--x. qemu qemu
>> system_u:object_r:virt_image_t:s0 . drwxr-xr-x. root root
>> system_u:object_r:virt_var_lib_t:s0 .. -rw-r--r--. qemu qemu
>> system_u:object_r:virt_image_t:s0 devstack-f.qcow2 ...
>>
>> in other words - I see no reason why this should fail, what did I miss?
>>
>> Should I head over to bugzilla and report?
>>
>
> after some tinkering I've applied svirt_image_t to /var/lib/libvirt/images
> and everything is functioning, however "restorecon -RF
> /var/lib/libvirt/images" brings everything back to virt_image_t , hmm?
>
libvirt is supposed to change the label of a virt_image_t to
svirt_image_t:MCSLABEL when the virtual machine is running, and then change
it back to virt_image_t when the VM is finished. Running VMs can only
read/write svirt_image_t. The problem is you should not be running restorecon
on this directory.
svirt_image_t is supposed to be in a type that restorecon will not change.
If you stop and restart the VM everything should be labeled correctly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKwZswACgkQrlYvE4MpobOZNwCeN7ZA2MD69X0J7Ml12FxFRo+i
VRkAnAzhHEbbAmmECwNOcQ1e9KoHonQD
=TXnI
-----END PGP SIGNATURE-----
More information about the selinux
mailing list