Re: libvirt and SELlinux 'access denied' in a VM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






On Fri, Mar 21, 2014 at 5:14 PM, Cole Robinson <crobinso@xxxxxxxxxx> wrote:
>
> On 03/21/2014 12:13 PM, Juerg Haefliger wrote:
> >
> >
> >
> > On Fri, Mar 21, 2014 at 3:40 PM, Cole Robinson <crobinso@xxxxxxxxxx
> > <mailto:crobinso@xxxxxxxxxx>> wrote:
> >>
> >> On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
> >> > Hi,
> >> >
> >> > I started a VM using the official F20 cloud image, installed libvirt and its
> >> > dependencies and tried to create a guest but SELinux won't let me:
> >> >
> >> > [root@fedora-20 ~]# virsh create mini.xml
> >> > error: Failed to create domain from mini.xml
> >> > error: Input/output error
> >> >
> >> > [root@fedora-20 ~]# journalctl | tail
> >> > Mar 21 14:23:06 fedora-20 systemd[1]: SELinux policy denies access.
> >> > Mar 21 14:23:06 fedora-20 systemd-machined[7210]: Failed to start machine
> >> > scope: Access denied
> >> > Mar 21 14:23:06 fedora-20 libvirtd[6856]: Input/output error
> >> >
> >> > [root@fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log
> >> > 2014-03-21 14:23:06.740+0000: starting up
> >> > LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
> >> > QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name mini -S -machine
> >> > pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp
> >> > 1,sockets=1,cores=1,threads=1 -uuid 11111111-2890-2015-1f87-cbfa725b1dd3
> >> > -nographic -no-user-config -nodefaults -chardev
> >> > socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
> >> > -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown
> >> > -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device
> >> > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2
> >> > 2014-03-21 14:23:06.744+0000: shutting down
> >> >
> >>
> >> > msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> >> > vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd" hostname=?
> >> > addr=? terminal=? res=success'
> >> > type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0 auid=4294967295
> >> > ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start }
> >> > for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
> >> > tcontext=system_u:system_r:init_t:s0 tclass=service
> >>
> >> That's strange, not sure what caused it. Try an selinux relabel. Make sure
> >> selinux isn't disabled at startup (permissive is fine), and do:
> >>
> >> sudo touch /.autorelabel
> >> reboot
> >
> > Problem still persists. Is there a way to check that the relabling actually
> > happened?
>
> /.autorelabel should have been removed, and boot should have been quite slow,
> with progress output printed to the tty (hit escape to see the boot output
> instead of the graphical plymouth boot).

/.autorelabel is gone. I don't have access to the tty but on the serial console I get:

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.

So I assume the relabeling is happening. libvirtd is still not happy though.

...Juerg


> - Cole
>
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Big List of Linux Books]     [Yosemite News]     [Linux Apps]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux