-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2013 08:37 PM, Dmitry S. Makovey wrote: > On 12/16/2013 06:17 PM, Dmitry S. Makovey wrote: >> Hi everybody, >> >> today, right after update my machine refuses to start any of the VMs it >> was happily running just a minute ago. >> >> Some details: >> >> $ rpm -qa | grep selinux-policy >> selinux-policy-targeted-3.12.1-74.15.fc19.noarch >> selinux-policy-devel-3.12.1-74.15.fc19.noarch >> selinux-policy-3.12.1-74.15.fc19.noarch >> >> # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow >> >> >> #============= svirt_t ============== allow svirt_t virt_image_t:file >> read; >> >> # ls -laZ /var/lib/libvirt/images/ drwx--x--x. qemu qemu >> system_u:object_r:virt_image_t:s0 . drwxr-xr-x. root root >> system_u:object_r:virt_var_lib_t:s0 .. -rw-r--r--. qemu qemu >> system_u:object_r:virt_image_t:s0 devstack-f.qcow2 ... >> >> in other words - I see no reason why this should fail, what did I miss? >> >> Should I head over to bugzilla and report? >> > > after some tinkering I've applied svirt_image_t to /var/lib/libvirt/images > and everything is functioning, however "restorecon -RF > /var/lib/libvirt/images" brings everything back to virt_image_t , hmm? > libvirt is supposed to change the label of a virt_image_t to svirt_image_t:MCSLABEL when the virtual machine is running, and then change it back to virt_image_t when the VM is finished. Running VMs can only read/write svirt_image_t. The problem is you should not be running restorecon on this directory. svirt_image_t is supposed to be in a type that restorecon will not change. If you stop and restart the VM everything should be labeled correctly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKwZswACgkQrlYvE4MpobOZNwCeN7ZA2MD69X0J7Ml12FxFRo+i VRkAnAzhHEbbAmmECwNOcQ1e9KoHonQD =TXnI -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
