libvirt and SELlinux 'access denied' in a VM
Cole Robinson
crobinso at redhat.com
Fri Mar 21 16:14:59 UTC 2014
On 03/21/2014 12:13 PM, Juerg Haefliger wrote:
>
>
>
> On Fri, Mar 21, 2014 at 3:40 PM, Cole Robinson <crobinso at redhat.com
> <mailto:crobinso at redhat.com>> wrote:
>>
>> On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
>> > Hi,
>> >
>> > I started a VM using the official F20 cloud image, installed libvirt and its
>> > dependencies and tried to create a guest but SELinux won't let me:
>> >
>> > [root at fedora-20 ~]# virsh create mini.xml
>> > error: Failed to create domain from mini.xml
>> > error: Input/output error
>> >
>> > [root at fedora-20 ~]# journalctl | tail
>> > Mar 21 14:23:06 fedora-20 systemd[1]: SELinux policy denies access.
>> > Mar 21 14:23:06 fedora-20 systemd-machined[7210]: Failed to start machine
>> > scope: Access denied
>> > Mar 21 14:23:06 fedora-20 libvirtd[6856]: Input/output error
>> >
>> > [root at fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log
>> > 2014-03-21 14:23:06.740+0000: starting up
>> > LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
>> > QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name mini -S -machine
>> > pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp
>> > 1,sockets=1,cores=1,threads=1 -uuid 11111111-2890-2015-1f87-cbfa725b1dd3
>> > -nographic -no-user-config -nodefaults -chardev
>> > socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
>> > -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown
>> > -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device
>> > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2
>> > 2014-03-21 14:23:06.744+0000: shutting down
>> >
>>
>> > msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
>> > vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd" hostname=?
>> > addr=? terminal=? res=success'
>> > type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0 auid=4294967295
>> > ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start }
>> > for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
>> > tcontext=system_u:system_r:init_t:s0 tclass=service
>>
>> That's strange, not sure what caused it. Try an selinux relabel. Make sure
>> selinux isn't disabled at startup (permissive is fine), and do:
>>
>> sudo touch /.autorelabel
>> reboot
>
> Problem still persists. Is there a way to check that the relabling actually
> happened?
/.autorelabel should have been removed, and boot should have been quite slow,
with progress output printed to the tty (hit escape to see the boot output
instead of the graphical plymouth boot).
- Cole
More information about the cloud
mailing list