Re: libvirt and SELlinux 'access denied' in a VM

Fri, 21 Mar 2014 09:14:40 -0700 

On Fri, Mar 21, 2014 at 3:40 PM, Cole Robinson <crobi...@redhat.com> wrote:
>
> On 03/21/2014 10:36 AM, Juerg Haefliger wrote:
> > Hi,
> >
> > I started a VM using the official F20 cloud image, installed libvirt
and its
> > dependencies and tried to create a guest but SELinux won't let me:
> >
> > [root@fedora-20 ~]# virsh create mini.xml
> > error: Failed to create domain from mini.xml
> > error: Input/output error
> >
> > [root@fedora-20 ~]# journalctl | tail
> > Mar 21 14:23:06 fedora-20 systemd[1]: SELinux policy denies access.
> > Mar 21 14:23:06 fedora-20 systemd-machined[7210]: Failed to start
machine
> > scope: Access denied
> > Mar 21 14:23:06 fedora-20 libvirtd[6856]: Input/output error
> >
> > [root@fedora-20 ~]# cat /var/log/libvirt/qemu/mini.log
> > 2014-03-21 14:23:06.740+0000: starting up
> > LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
> > QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name mini -S -machine
> > pc-i440fx-1.6,accel=tcg,usb=off -m 1024 -realtime mlock=off -smp
> > 1,sockets=1,cores=1,threads=1 -uuid 11111111-2890-2015-1f87-cbfa725b1dd3
> > -nographic -no-user-config -nodefaults -chardev
> >
socket,id=charmonitor,path=/var/lib/libvirt/qemu/mini.monitor,server,nowait
> > -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
-no-shutdown
> > -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device
> > virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2
> > 2014-03-21 14:23:06.744+0000: shutting down
> >
>
> > msg='virt=qemu vm="mini" uuid=11111111-2890-2015-1f87-cbfa725b1dd3
> > vm-ctx=107:107 img-ctx=107:107 model=dac exe="/usr/sbin/libvirtd"
hostname=?
> > addr=? terminal=? res=success'
> > type=USER_AVC msg=audit(1395412399.788:283): pid=1 uid=0 auid=4294967295
> > ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
start }
> > for auid=-1 uid=-1 gid=-1 scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=service
>
> That's strange, not sure what caused it. Try an selinux relabel. Make sure
> selinux isn't disabled at startup (permissive is fine), and do:
>
> sudo touch /.autorelabel
> reboot

Problem still persists. Is there a way to check that the relabling actually
happened?

...Juerg


> - Cole

_______________________________________________
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to