Re: Virtqemud wants to unlink /dev/urandom

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Feb 24, 2022 at 01:41:50PM +0100, Nikola Knazekova wrote:

Hi,

when I am creating virtual machine on system with new SELinux policy for
Libvirt, I am getting this error message:

Unable to complete install: 'Unable to create device /dev/urandom: File
exists'
Traceback (most recent call last):
 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in
cb_wrapper
   callback(asyncjob, *args, **kwargs)
 File "/usr/share/virt-manager/virtManager/createvm.py", line 2001, in
_do_async_install
   installer.start_install(guest, meter=meter)
 File "/usr/share/virt-manager/virtinst/install/installer.py", line 701,
in start_install
   domain = self._create_guest(
 File "/usr/share/virt-manager/virtinst/install/installer.py", line 649,
in _create_guest
   domain = self.conn.createXML(install_xml or final_xml, 0)
 File "/usr/lib64/python3.10/site-packages/libvirt.py", line 4393, in
createXML
   raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: Unable to create device /dev/urandom: File exists

And SELinux denial, where SELinux prevents virtqemud to unlink character
device /dev/urandom:

time->Wed Feb 23 19:30:33 2022
type=PROCTITLE msg=audit(1645662633.819:930):
proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=PATH msg=audit(1645662633.819:930): item=1 name="/dev/urandom" inode=6
dev=00:44 mode=020666 ouid=0 ogid=0 rdev=01:09
obj=system_u:object_r:urandom_device_t:s0 nametype=DELETE cap_fp=0 cap_fi=0
cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1645662633.819:930): item=0 name="/dev/" inode=1
dev=00:44 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0
cap_fver=0 cap_frootid=0
type=CWD msg=audit(1645662633.819:930): cwd="/"
type=SYSCALL msg=audit(1645662633.819:930): arch=c000003e syscall=87
success=no exit=-13 a0=7f9418064f50 a1=7f943909c930 a2=7f941d0ef6d4 a3=0
items=2 ppid=6722 pid=7196 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-worker"
exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1645662633.819:930): avc:  denied  { unlink } for
pid=7196 comm="rpc-worker" name="urandom" dev="tmpfs" ino=6
scontext=system_u:system_r:virtqemud_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0

Is this expected behavior?



The error is not, but creating and removing /dev/urandom is fine, as far
as it happens in the mount namespace of the domain, which we create and
as such we also need to create some basic /dev structure in there.

Unfortunately this error does not show whether it is happening in the
mount namespace, although it should definitely _not_ happen outside of it.

Does this happen on clean install?  What is the version of libvirt and
the selinux policy?  What's the distro+version of the system?  Would you
mind capturing the debug logs and attaching them?

How to capture debug logs: https://libvirt.org/kbase/debuglogs.html


Thanks,
Nikola

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux