On Mon, Mar 24, 2014 at 1:14 PM, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/24/2014 06:28 AM, Juerg Haefliger wrote:
>
>
>
> On Mon, Mar 24, 2014 at 11:23 AM, Juerg Haefliger <juergh(a)gmail.com
> <mailto:juergh@gmail.com>> wrote:
>>
>>
>>
>>
>> On Sat, Mar 22, 2014 at 11:46 AM, Daniel J Walsh <dwalsh(a)redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>>>
> On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
>> Hi,
>
>> I started a VM using the official F20 cloud image, installed libvirt
and
>> its dependencies and tried to create a guest but SELinux
won't let me:
>
>> [root@fedora-20 ~]# virsh create mini.xml error: Failed to create
domain
>> from mini.xml error: Input/output error
>
>> [root@fedora-20 ~]# journalctl | tail Mar 21 14:23:06 fedora-20
>> systemd[1]: SELinux policy denies access. Mar 21 14:23:06 fedora-20
>> systemd-machined[7210]: Failed to start machine scope: Access denied
Mar
>> 21 14:23:06 fedora-20 libvirtd[6856]: Input/output error
>
>> [root@fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log 2014-03-21
>> 14:23:06.740+0000: starting up LC_ALL=C
>> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
>> QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name mini -S -machine
>> pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp
>> 1,sockets=1,cores=1,threads=1 -uuid
11111111-2890-2015-1f87-cbfa725b1dd3
>> -nographic -no-user-config -nodefaults -chardev
>>
socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
>>
>>
- -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
-no-shutdown
>> -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2
-device
>> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 2014-03-21
>> 14:23:06.744+0000: shutting down
>
>
>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:281): pid=6856 uid=0
>> auid=4294967295 ses=4294967295
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu
vm="mini"
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986
>> img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986 model=selinux
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
>> type=VIRT_MACHINE_ID msg=audit(1395412399.728:282): pid=6856 uid=0
>> auid=4294967295 ses=4294967295
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu
vm="mini"
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107
img-ctx=107:107
>> model=dac exe="/usr/sbin/libvirtd" hostname=?
addr=? terminal=?
>> res=success' type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='avc: denied { start } for auid=-1 uid=-1 gid=-1
>> scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=service
>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'
>> type=VIRT_RESOURCE msg=audit(1395412400.015:284): pid=6856 uid=0
>> auid=4294967295 ses=4294967295
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem
>> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> old-mem=0 new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=?
>> terminal=? res=success' type=VIRT_RESOURCE
msg=audit(1395412400.015:285):
>> pid=6856 uid=0 auid=4294967295 ses=4294967295
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=vcpu
>> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> old-vcpu=0 new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=?
>> terminal=? res=success' type=VIRT_CONTROL
msg=audit(1395412400.015:286):
>> pid=6856 uid=0 auid=4294967295 ses=4294967295
>> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start
>> reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
>> res=failed'
>
>> I'm not overly familiar with SELinux. Is this a configuration issue? Am
>> I missing some policy packages or could this be an issue with the cloud
>> image?
>
>> Works fine when I disable SELinux.
>
>> Google found this, but it's old and apparently resolved:
>>
https://bugzilla.redhat.com/show_bug.cgi?id=860235
>
>> Thanks ...Juerg
>
>
>
>> _______________________________________________ cloud mailing list
>> cloud(a)lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org>
>>
https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
>> Conduct:
http://fedoraproject.org/code-of-conduct
>
>
> There is no SELinux data that you posted. I don't think your machine is
> mislabeled. Doing the /.autorelabel dance is a waste of time.
>
> ausearch -m avc,user_avc -ts recent
>
> After you have the problem, to see if SELinux posted any error messages.
>
> If there are no messages then try to turn off dontaudit rules.
>
> semodule -DB Run your test ausearch -m avc,user_avc -ts recent
>
>>>
>>> This is all I get:
>>>
>>> time->Mon Mar 24 10:21:18 2014 type=USER_AVC
>>> msg=audit(1395656478.686:22577): pid=1 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied {
>> start } for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=service
>> exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'
>
>
>> And all of 'ausearch -ts':
>
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID
>> msg=audit(1395656781.041:22605): pid=529 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>> msg='virt=qemu vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c135,c495
>> img-ctx=system_u:object_r:svirt_image_t:s0:c135,c495 model=selinux
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
----
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_MACHINE_ID
>> msg=audit(1395656781.041:22606): pid=529 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>> msg='virt=qemu vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd"
>> hostname=? addr=? terminal=? res=success' ---- time->Mon Mar 24
10:26:21
>> 2014 type=USER_AVC msg=audit(1395656781.044:22607): pid=1
uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> msg='avc: denied { start } for auid=-1 uid=-1 gid=-1
>> scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0
>> tclass=service exe="/usr/lib/systemd/systemd"
sauid=0 hostname=? addr=?
>> terminal=?' ---- time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE
>> msg=audit(1395656781.285:22608): pid=529 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>> msg='virt=qemu resrc=mem reason=start vm="mini"
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0 new-mem=1048576
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
----
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_RESOURCE
>> msg=audit(1395656781.285:22609): pid=529 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>> msg='virt=qemu resrc=vcpu reason=start vm="mini"
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0 new-vcpu=1
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
----
>> time->Mon Mar 24 10:26:21 2014 type=VIRT_CONTROL
>> msg=audit(1395656781.286:22610): pid=529 uid=0 auid=4294967295
>> ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023
>> msg='virt=qemu op=start reason=booted vm="mini"
>> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1
>> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
>
>
>>>
>>>
>>>
> And look for messages about virt.
>
> This will turn dontaudit rules back on. semodule -B
>
>
>>> _______________________________________________ cloud mailing list
>>> cloud(a)lists.fedoraproject.org <mailto:cloud@lists.fedoraproject.org>
>>>
https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
>>> Conduct:
http://fedoraproject.org/code-of-conduct
>>
>
>
> _______________________________________________ cloud mailing list
> cloud(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> Conduct:
http://fedoraproject.org/code-of-conduct
>
That AVC does not seem to be related. What AVC's did you see when you
disabled
the dontaudit rules.
There's only one (the last one) with enabled and disabled dontaudit rules:
[root@fedora-20 ~]# semodule -DB ; date ; virsh create mini.xml ; ausearch
-m avc,user_avc -ts recent | tail -n 9
Mon Mar 24 12:44:17 UTC 2014
error: Failed to create domain from mini.xml
error: Input/output error
----
time->Mon Mar 24 12:42:29 2014
type=USER_AVC msg=audit(1395664949.793:23448): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start
} for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Mar 24 12:44:17 2014
type=USER_AVC msg=audit(1395665057.999:23463): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received
policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'
----
time->Mon Mar 24 12:44:18 2014
type=USER_AVC msg=audit(1395665058.000:23464): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start
} for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlMwIa8ACgkQrlYvE4MpobNVugCgvEP0kvjioBafwY55v86nCviV
8GAAniNKGIkb6udi5byM2RtW22tT3iVx
=aqb/
-----END PGP SIGNATURE-----
_______________________________________________
cloud mailing list
cloud(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct:
http://fedoraproject.org/code-of-conduct