libvirt and SELlinux 'access denied' in a VM

Daniel J Walsh dwalsh at redhat.com
Sat Mar 22 10:46:40 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
> Hi,
> 
> I started a VM using the official F20 cloud image, installed libvirt and
> its dependencies and tried to create a guest but SELinux won't let me:
> 
> [root at fedora-20 ~]# virsh create mini.xml error: Failed to create domain
> from mini.xml error: Input/output error
> 
> [root at fedora-20 ~]# journalctl | tail Mar 21 14:23:06 fedora-20 systemd[1]:
> SELinux policy denies access. Mar 21 14:23:06 fedora-20
> systemd-machined[7210]: Failed to start machine scope: Access denied Mar 21
> 14:23:06 fedora-20 libvirtd[6856]: Input/output error
> 
> [root at fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log 2014-03-21
> 14:23:06.740+0000: starting up LC_ALL=C
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=none
> /usr/bin/qemu-system-x86_64 -name mini -S -machine 
> pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp 
> 1,sockets=1,cores=1,threads=1 -uuid 11111111-2890-2015-1f87-cbfa725b1dd3 
> -nographic -no-user-config -nodefaults -chardev 
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown
> -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device 
> virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 2014-03-21
> 14:23:06.744+0000: shutting down
> 
> 
> type=VIRT_MACHINE_ID msg=audit(1395412399.728:281): pid=6856 uid=0 
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 
> vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986 
> img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986 model=selinux 
> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' 
> type=VIRT_MACHINE_ID msg=audit(1395412399.728:282): pid=6856 uid=0 
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
> uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107 img-ctx=107:107
> model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
> res=success' type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0
> auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:
> denied  { start } for auid=-1 uid=-1 gid=-1
> scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0
> tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
> terminal=?' type=VIRT_RESOURCE msg=audit(1395412400.015:284): pid=6856
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem
> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0
> new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? 
> res=success' type=VIRT_RESOURCE msg=audit(1395412400.015:285): pid=6856
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=vcpu
> reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0
> new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? 
> res=success' type=VIRT_CONTROL msg=audit(1395412400.015:286): pid=6856
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start
> reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1
> exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
> 
> I'm not overly familiar with SELinux. Is this a configuration issue? Am I 
> missing some policy packages or could this be an issue with the cloud
> image?
> 
> Works fine when I disable SELinux.
> 
> Google found this, but it's old and apparently resolved: 
> https://bugzilla.redhat.com/show_bug.cgi?id=860235
> 
> Thanks ...Juerg
> 
> 
> 
> _______________________________________________ cloud mailing list 
> cloud at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> Conduct: http://fedoraproject.org/code-of-conduct
> 

There is no SELinux data that you posted.  I don't think your machine is
mislabeled.  Doing the /.autorelabel dance is a waste of time.

ausearch -m avc,user_avc -ts recent

After you have the problem, to see if SELinux posted any error messages.

If there are no messages then try to turn off dontaudit rules.

semodule -DB
Run your test
ausearch -m avc,user_avc -ts recent

And look for messages about virt.

This will turn dontaudit rules back on.
semodule -B


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMtahAACgkQrlYvE4MpobPh4ACgymOncdUt6k7+Z5BwJObOmyLx
hJUAn08Uow4Qh7KWL+Qg+F14ikr52ktE
=TMxx
-----END PGP SIGNATURE-----

More information about the cloud mailing list