Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1132467
Summary: | policy blocking gnome-boxes vm creation | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Vladimir Benes <vbenes> |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | agedosier, berrange, clalancette, crobinso, dominick.grift, dwalsh, itamar, jforbes, laine, libvirt-maint, lvrabec, mgrepl, veillard, virt-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-08-21 16:32:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vladimir Benes
2014-08-21 12:10:21 UTC
Did you try the suggested fix? ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow virt to use execmem Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean. You can read 'None' man page for more details. Do setsebool -P virt_use_execmem 1 The problem is libvirt is not useing libvirt-kvm for creating the VM and other tooling requires execmem. libvirt should choose a different label for launching a virtual machine that is not using -kvm. svirt_tgt_t for example, which is allowed execmem and execstack out of the box. Currently we ship virtual_domain_context file which includes two types. cat /etc/selinux/targeted/contexts/virtual_domain_context system_u:system_r:svirt_t:s0 system_u:system_r:svirt_tcg_t:s0 libvirt is choosing the svirt_t (first type) which does not allow the execmem execstack. If it choose the second for this type of VM the problem would go away. vladimir, could you include the AVC information, so that we could verify that the the qemu process that libvirt is launching. How Dan wrote above ... we created svirt_tcg_t for this purpose and we have allow svirt_tcg_t self:process { execmem execstack }; in the policy by default. Pretty sure it's the librados issue *** This bug has been marked as a duplicate of bug 1118504 *** |