libvirt and SELlinux 'access denied' in a VM

Juerg Haefliger juergh at gmail.com
Mon Mar 24 10:28:58 UTC 2014


On Mon, Mar 24, 2014 at 11:23 AM, Juerg Haefliger <juergh at gmail.com> wrote:
>
>
>
>
> On Sat, Mar 22, 2014 at 11:46 AM, Daniel J Walsh <dwalsh at redhat.com>
wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
> > > Hi,
> > >
> > > I started a VM using the official F20 cloud image, installed libvirt
and
> > > its dependencies and tried to create a guest but SELinux won't let me:
> > >
> > > [root at fedora-20 ~]# virsh create mini.xml error: Failed to create
domain
> > > from mini.xml error: Input/output error
> > >
> > > [root at fedora-20 ~]# journalctl | tail Mar 21 14:23:06 fedora-20
systemd[1]:
> > > SELinux policy denies access. Mar 21 14:23:06 fedora-20
> > > systemd-machined[7210]: Failed to start machine scope: Access denied
Mar 21
> > > 14:23:06 fedora-20 libvirtd[6856]: Input/output error
> > >
> > > [root at fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log 2014-03-21
> > > 14:23:06.740+0000: starting up LC_ALL=C
> > > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
QEMU_AUDIO_DRV=none
> > > /usr/bin/qemu-system-x86_64 -name mini -S -machine
> > > pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp
> > > 1,sockets=1,cores=1,threads=1 -uuid
11111111-2890-2015-1f87-cbfa725b1dd3
> > > -nographic -no-user-config -nodefaults -chardev
> > >
socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
> > > -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
-no-shutdown
> > > -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device
> > > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 2014-03-21
> > > 14:23:06.744+0000: shutting down
> > >
> > >
> > > type=VIRT_MACHINE_ID msg=audit(1395412399.728:281): pid=6856 uid=0
> > > auid=4294967295 ses=4294967295
> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
> > > uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> > > vm-ctx=system_u:system_r:svirt_tcg_t:s0:c728,c986
> > > img-ctx=system_u:object_r:svirt_image_t:s0:c728,c986 model=selinux
> > > exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
> > > type=VIRT_MACHINE_ID msg=audit(1395412399.728:282): pid=6856 uid=0
> > > auid=4294967295 ses=4294967295
> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
> > > uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107
img-ctx=107:107
> > > model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
> > > res=success' type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0
> > > auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0
msg='avc:
> > > denied  { start } for auid=-1 uid=-1 gid=-1
> > > scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0
> > > tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=?
addr=?
> > > terminal=?' type=VIRT_RESOURCE msg=audit(1395412400.015:284): pid=6856
> > > uid=0 auid=4294967295 ses=4294967295
> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem
> > > reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
old-mem=0
> > > new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
> > > res=success' type=VIRT_RESOURCE msg=audit(1395412400.015:285):
pid=6856
> > > uid=0 auid=4294967295 ses=4294967295
> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu
resrc=vcpu
> > > reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
old-vcpu=0
> > > new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
> > > res=success' type=VIRT_CONTROL msg=audit(1395412400.015:286): pid=6856
> > > uid=0 auid=4294967295 ses=4294967295
> > > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start
> > > reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
vm-pid=-1
> > > exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
> > >
> > > I'm not overly familiar with SELinux. Is this a configuration issue?
Am I
> > > missing some policy packages or could this be an issue with the cloud
> > > image?
> > >
> > > Works fine when I disable SELinux.
> > >
> > > Google found this, but it's old and apparently resolved:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=860235
> > >
> > > Thanks ...Juerg
> > >
> > >
> > >
> > > _______________________________________________ cloud mailing list
> > > cloud at lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> > > Conduct: http://fedoraproject.org/code-of-conduct
> > >
> >
> > There is no SELinux data that you posted.  I don't think your machine is
> > mislabeled.  Doing the /.autorelabel dance is a waste of time.
> >
> > ausearch -m avc,user_avc -ts recent
> >
> > After you have the problem, to see if SELinux posted any error messages.
> >
> > If there are no messages then try to turn off dontaudit rules.
> >
> > semodule -DB
> > Run your test
> > ausearch -m avc,user_avc -ts recent
> >
>
> This is all I get:
>
> time->Mon Mar 24 10:21:18 2014
> type=USER_AVC msg=audit(1395656478.686:22577): pid=1 uid=0
auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:
 denied  { start } for auid=-1 uid=-1 gid=-1
scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'


And all of 'ausearch -ts':

time->Mon Mar 24 10:26:21 2014
type=VIRT_MACHINE_ID msg=audit(1395656781.041:22605): pid=529 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3
vm-ctx=system_u:system_r:svirt_tcg_t:s0:c135,c495
img-ctx=system_u:object_r:svirt_image_t:s0:c135,c495 model=selinux
exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
----
time->Mon Mar 24 10:26:21 2014
type=VIRT_MACHINE_ID msg=audit(1395656781.041:22606): pid=529 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu vm="mini"
uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-ctx=107:107 img-ctx=107:107
model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
----
time->Mon Mar 24 10:26:21 2014
type=USER_AVC msg=audit(1395656781.044:22607): pid=1 uid=0 auid=4294967295
ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start
} for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Mar 24 10:26:21 2014
type=VIRT_RESOURCE msg=audit(1395656781.285:22608): pid=529 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=mem
reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-mem=0
new-mem=1048576 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
----
time->Mon Mar 24 10:26:21 2014
type=VIRT_RESOURCE msg=audit(1395656781.285:22609): pid=529 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu resrc=vcpu
reason=start vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 old-vcpu=0
new-vcpu=1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
----
time->Mon Mar 24 10:26:21 2014
type=VIRT_CONTROL msg=audit(1395656781.286:22610): pid=529 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=qemu op=start
reason=booted vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3 vm-pid=-1
exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'


>
>
>
> > And look for messages about virt.
> >
> > This will turn dontaudit rules back on.
> > semodule -B
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iEYEARECAAYFAlMtahAACgkQrlYvE4MpobPh4ACgymOncdUt6k7+Z5BwJObOmyLx
> > hJUAn08Uow4Qh7KWL+Qg+F14ikr52ktE
> > =TMxx
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > cloud mailing list
> > cloud at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/cloud
> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/cloud/attachments/20140324/7d61461d/attachment-0001.html>


More information about the cloud mailing list