1122283 – SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execstack' accesses on a process.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1122283 - SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execstack' accesses on a process.

Summary: SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execstack' ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1118504
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt
Sub Component:
Version:	21
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:ad121b522416f89af33defa195c...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-22 20:37 UTC by Elad Alfassa
Modified:	2014-08-08 15:04 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-08-08 15:04:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Elad Alfassa 2014-07-22 20:37:39 UTC

Description of problem:
Can't run GNOME oxes VMs. This popped up when I tried. Boxes should work "out of the box" without need to tweak SELinux booleans.
SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execstack' accesses on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow virt to use execmem
Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P virt_use_execmem 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that qemu-system-x86_64 should be allowed execstack access on processes labeled svirt_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:svirt_t:s0:c103,c599
Target Context                unconfined_u:unconfined_r:svirt_t:s0:c103,c599
Target Objects                Unknown [ process ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           qemu-system-x86-2.1.0-0.4.rc2.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-66.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.0-0.rc5.git2.2.fc22.x86_64 #1
                              SMP Fri Jul 18 23:04:00 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-22 23:36:10 IDT
Last Seen                     2014-07-22 23:36:10 IDT
Local ID                      7b854396-da35-44a2-a921-84ddc132ecaa

Raw Audit Messages
type=AVC msg=audit(1406061370.507:216): avc:  denied  { execstack } for  pid=15890 comm="qemu-system-x86" scontext=unconfined_u:unconfined_r:svirt_t:s0:c103,c599 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c103,c599 tclass=process permissive=0


type=SYSCALL msg=audit(1406061370.507:216): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7fff5a9a2000 a1=1000 a2=1000007 a3=7fbf9646ca60 items=0 ppid=1 pid=15890 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=unconfined_u:unconfined_r:svirt_t:s0:c103,c599 key=(null)

Hash: qemu-system-x86,svirt_t,svirt_t,process,execstack

Version-Release number of selected component:
selinux-policy-3.13.1-66.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-0.rc5.git2.2.fc22.x86_64
type:           libreport

Potential duplicate: bug 1116519

Comment 1 Daniel Walsh 2014-08-06 22:48:03 UTC

The problem is most qemu users don't need this priv and it is fairly dangerous.

I would argue that we should change libvirt to use a different type is the proper way to fix this problem.

Comment 2 Cole Robinson 2014-08-08 14:34:31 UTC

Can you show the libvirt XML (virsh dumpxml $vmname) and /var/log/libvirt/qemu/$vmname.log ? libvirt should be handling this correctly already

Comment 3 Elad Alfassa 2014-08-08 14:42:24 UTC

/var/log/libvirt/qemu is empty.

Here is an example of a VM. This problem affects ALL my gnome-boxes VMs.

<domain type='kvm'>
  <name>boxes-unknown-2</name>
  <uuid>eef07880-c764-4b61-919e-6884a1bbe120</uuid>
  <title>Fedora-Live-Workstation-x86_64-rawhide-20140703 2</title>
  <metadata>
    <boxes:gnome-boxes xmlns:boxes="http://live.gnome.org/Boxes/">
      <os-state>installed</os-state>
      <media>/home/elad/Fedora-Live-Workstation-x86_64-rawhide-20140703.iso</media>
    </boxes:gnome-boxes>
  </metadata>
  <memory unit='KiB'>2122428</memory>
  <currentMemory unit='KiB'>2122428</currentMemory>
  <vcpu placement='static'>8</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-passthrough'>
    <topology sockets='1' cores='4' threads='2'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none'/>
      <source file='/home/elad/.local/share/gnome-boxes/images/boxes-unknown-2'/>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/home/elad/Fedora-Live-Workstation-x86_64-rawhide-20140703.iso' startupPolicy='optional'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </controller>
    <controller type='ccid' index='0'/>
    <interface type='bridge'>
      <mac address='52:54:00:22:9c:02'/>
      <source bridge='virbr0'/>
      <model type='rtl8139'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <smartcard mode='passthrough' type='spicevmc'>
      <address type='ccid' controller='0' slot='0'/>
    </smartcard>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'/>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <image compression='off'/>
    </graphics>
    <sound model='ac97'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </memballoon>
  </devices>
</domain>

Comment 4 Cole Robinson 2014-08-08 14:46:23 UTC

Sorry, that should have been ~/.cache/libvirt/qemu/log/$vmname.log, please provide that as well

Comment 5 Elad Alfassa 2014-08-08 14:51:09 UTC

LC_ALL=C PATH=/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/home/elad/.local/bin:/home/elad/bin HOME=/home/elad USER=elad LOGNAME=elad QEMU_AUDIO_DRV=spice /usr/bin/qemu-kvm -name boxes-unknown-2 -S -machine pc-i440fx-2.0,accel=kvm,usb=off -cpu host -m 2073 -realtime mlock=off -smp 8,sockets=1,cores=4,threads=2 -uuid eef07880-c764-4b61-919e-6884a1bbe120 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/home/elad/.config/libvirt/qemu/lib/boxes-unknown-2.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x5.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x5 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x5.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x5.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -device usb-ccid,id=ccid0 -drive file=/home/elad/.local/share/gnome-boxes/images/boxes-unknown-2,if=none,id=drive-ide0-0-0,format=qcow2,cache=none -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -drive file=/home/elad/Fedora-Live-Workstation-x86_64-rawhide-20140703.iso,if=none,id=drive-ide0-1-0,readonly=on,format=raw -device ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -netdev tap,fd=22,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:22:9c:02,bus=pci.0,addr=0x3 -chardev spicevmc,id=charsmartcard0,name=smartcard -device ccid-card-passthru,chardev=charsmartcard0,id=smartcard0,bus=ccid0.0 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device AC97,id=sound0,bus=pci.0,addr=0x4 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -chardev spicevmc,id=charredir2,name=usbredir -device usb-redir,chardev=charredir2,id=redir2 -chardev spicevmc,id=charredir3,name=usbredir -device usb-redir,chardev=charredir3,id=redir3 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
Domain id=7 is tainted: host-cpu
/usr/bin/qemu-system-x86_64: error while loading shared libraries: librados.so.2: cannot enable executable stack as shared object requires: Permission denied
2014-08-08 14:50:03.106+0000: shutting down

Comment 6 Cole Robinson 2014-08-08 14:55:26 UTC

Can you do:

  virt-xml --connect qemu:///session --edit --cpu clearxml=yes boxes-unknown-2

Then 

  virsh start boxes-unknown-2

And see if the error persists?

Comment 7 Elad Alfassa 2014-08-08 14:59:50 UTC

Same error:

error: Failed to start domain boxes-unknown-2
error: internal error: process exited while connecting to monitor: /usr/bin/qemu-system-x86_64: error while loading shared libraries: librados.so.2: cannot enable executable stack as shared object requires: Permission denied

Comment 8 Cole Robinson 2014-08-08 15:04:28 UTC

thanks for the info. now that I look at the error I see it's some library messing up, and googling reveals there's another bug tracking the actual culprit

*** This bug has been marked as a duplicate of bug 1118504 ***

Note You need to log in before you can comment on or make changes to this bug.