Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1132467 - policy blocking gnome-boxes vm creation
Summary: policy blocking gnome-boxes vm creation
Keywords:
Status: CLOSED DUPLICATE of bug 1118504
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-21 12:10 UTC by Vladimir Benes
Modified: 2014-08-21 16:32 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-21 16:32:51 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Vladimir Benes 2014-08-21 12:10:21 UTC 
Description of problem:

SELinux is preventing qemu-system-x86 from using the execstack access on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow virt to use execmem
Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P virt_use_execmem 1

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-72.fc21.noarch
gnome-boxes-3.13.4-1.fc21.x86_64

How reproducible:
always

Steps to Reproduce:
1.open gnome-boxes
2.create any vm from image


Actual results:
selinux blocks it

Expected results:
should work

Additional info:
setenforce=0 helps here :-)
Comment 1 Daniel Walsh 2014-08-21 12:20:20 UTC 
Did you try the suggested fix?

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow virt to use execmem
Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P virt_use_execmem 1

The problem is libvirt is not useing libvirt-kvm for creating the VM and other tooling requires execmem.

libvirt should choose a different label for launching a virtual machine that is not using -kvm.

svirt_tgt_t for example, which is allowed execmem and execstack out of the box.


Currently we ship virtual_domain_context file which includes two types.
cat /etc/selinux/targeted/contexts/virtual_domain_context 
system_u:system_r:svirt_t:s0
system_u:system_r:svirt_tcg_t:s0

libvirt is choosing the svirt_t (first type) which does not allow the execmem execstack.  If it choose the second for this type of VM the problem would go away.
Comment 2 Daniel Walsh 2014-08-21 12:21:08 UTC 
vladimir, could you include the AVC information, so that we could verify that the the qemu process that libvirt is launching.
Comment 3 Miroslav Grepl 2014-08-21 12:25:15 UTC 
How Dan wrote above ... we created svirt_tcg_t for this purpose and we have

allow svirt_tcg_t self:process { execmem execstack };

in the policy by default.
Comment 4 Cole Robinson 2014-08-21 16:32:51 UTC 
Pretty sure it's the librados issue

*** This bug has been marked as a duplicate of bug 1118504 ***
Note You need to log in before you can comment on or make changes to this bug.