Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1146320 - Unable to start domain: unable to set security context 'system_u:object_r:tun_tap_device_t:s0:c7,c207'
Summary: Unable to start domain: unable to set security context 'system_u:object_r:tun...
Keywords:
Status: CLOSED DUPLICATE of bug 1147057
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: TRACKER-bugs-affecting-libguestfs 1148012
TreeView+ depends on / blocked
 
Reported: 2014-09-25 02:05 UTC by Jens Petersen
Modified: 2014-10-03 09:49 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-03 09:49:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
log.txt (10.43 KB, text/plain)
2014-10-02 15:37 UTC, Richard W.M. Jones 		no flags Details
View All

Description Jens Petersen 2014-09-25 02:05:48 UTC 
Description of problem:
I cannot install F21 Live in an F21 host with gnome-boxes.

Version-Release number of selected component (if applicable):
gnome-boxes-3.13.92-1.fc21
gnome-boxes-3.14.0-2.fc21
libvirt-1.2.8-4.fc21


How reproducible:
100%

Steps to Reproduce:
1. Download Fedora (WS) 21 Alpha Live
2. Try to install it in gnome-boxes on f21

Actual results:
(gnome-boxes:5021): Boxes-WARNING **: machine.vala:576: Failed to start Fedora-Live-Workstation-x86_64-21_Alpha-1: Unable to start domain: unable to set security context 'system_u:object_r:tun_tap_device_t:s0:c7,c207' on fd 21: Operation not permitted

UI pops up bubble saying saying "Failed to start 'Fedora-Live-Workstation-x86_64-21_Alpha-1'"

Expected results:
Install to start normally

Additional info:
The live image boots fine with qemu-kvm and installs fine in virt-manager.
Comment 1 Joachim Frieben 2014-10-02 14:30:28 UTC 
After booting the system with kernel option "enforcing=0" in permissive mode, gnome-boxes starts up as expected.
The applicable component is probably rather 'selinux-policy-targeted'.
Comment 2 Richard W.M. Jones 2014-10-02 15:33:58 UTC 
I am seeing this on Fedora Rawhide when running the new libguestfs
which has this change:
https://github.com/libguestfs/libguestfs/commit/224de20b9a8d5ea56f6337f19b4ca237bb88eca0
Comment 3 Richard W.M. Jones 2014-10-02 15:37:55 UTC 
Created attachment 943437 [details]
log.txt

Output from libguestfs with verbose logging enabled.
Comment 4 Richard W.M. Jones 2014-10-02 16:18:02 UTC 
I have:

selinux-policy 3.13.1-84.fc22
libvirt-1.2.9-1.fc22.x86_64
kernel 3.17.0-0.rc6.git2.1.fc22.x86_64

Strangely there is no output from `ausearch -m avc -ts recent'.
However there are audit messages in audit.log.  I'm not sure
if these are errors (or even related):

type=ANOM_PROMISCUOUS msg=audit(1412266570.754:807): dev=tap0 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=1
type=SYSCALL msg=audit(1412266570.754:807): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=89a2 a2=7fff005468d0 a3=fffffffffffff998 items=0 ppid=28441 pid=29353 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-bridge-hel" exe="/usr/libexec/qemu-bridge-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1412266570.754:807): proctitle=2F7573722F6C6962657865632F71656D752D6272696467652D68656C706572002D2D7573652D766E6574002D2D62723D766972627230002D2D66643D3232
type=ANOM_PROMISCUOUS msg=audit(1412266570.759:808): dev=tap0 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=1
type=ANOM_ABEND msg=audit(1412266570.764:809): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 pid=29354 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" sig=11
type=USER_CMD msg=audit(1412266616.011:810): pid=29386 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd=6C657373202F7661722F6C6F672F61756469742F61756469742E6C6F67 terminal=pts/0 res=success'
Comment 5 Richard W.M. Jones 2014-10-02 16:24:10 UTC 
Setting SELinux to Permissive does fix the problem, which
indicates that it is an SELinux problem.

audit2allow says "Nothing to do".

The complete set of audit logs with SELinux set to Permissive is below.

type=SYSCALL msg=audit(1412266685.743:815): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffddfc5fc0 a2=1 a3=0 items=0 ppid=29396 pid=29397 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1412266685.743:815): proctitle=736574656E666F726365005065726D697373697665
type=USER_END msg=audit(1412266685.744:816): pid=29396 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantor=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=ANOM_PROMISCUOUS msg=audit(1412266693.179:817): dev=tap0 prom=256 old_prom=0 auid=1000 uid=1000 gid=1000 ses=1
type=SYSCALL msg=audit(1412266693.179:817): arch=c000003e syscall=16 success=yes exit=0 a0=5 a1=89a2 a2=7fff098c02c0 a3=fffffffffffff998 items=0 ppid=30408 pid=30450 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="qemu-bridge-hel" exe="/usr/libexec/qemu-bridge-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1412266693.179:817): proctitle=2F7573722F6C6962657865632F71656D752D6272696467652D68656C706572002D2D7573652D766E6574002D2D62723D766972627230002D2D66643D3232
type=ANOM_PROMISCUOUS msg=audit(1412266708.292:818): dev=tap0 prom=0 old_prom=256 auid=1000 uid=1000 gid=1000 ses=1
type=USER_CMD msg=audit(1412266716.513:819): pid=30488 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd=736574656E666F72636520456E666F7263696E67 terminal=pts/0 res=success'
type=USER_START msg=audit(1412266716.515:820): pid=30488 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantor=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
Comment 6 Miroslav Grepl 2014-10-03 09:49:10 UTC 

*** This bug has been marked as a duplicate of bug 1147057 ***
Note You need to log in before you can comment on or make changes to this bug.