Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 862335 - non-kvm qemu guests fail to start due to execmem: libvirt needs to label with svirt_nokvm_t
Summary: non-kvm qemu guests fail to start due to execmem: libvirt needs to label with...
Keywords:
Status: CLOSED DUPLICATE of bug 885837
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 18
Hardware: All
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:9d2cc420dc38d7438434c2480a2...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-02 16:45 UTC by Christophe Fergeau
Modified: 2012-12-12 14:59 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-12 14:59:14 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-02 16:45 UTC, Christophe Fergeau 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-02 16:45 UTC, Christophe Fergeau 		no flags Details
View All

Description Christophe Fergeau 2012-10-02 16:45:14 UTC 
Description of problem:
I tried to start a VM from gnome-boxes running in a VM. No nested kvm so it started it emulating the CPU, and this gave this error

Additional info:
libreport version: 2.0.14
kernel:         3.6.0-0.rc6.git0.2.fc18.i686.PAE

description:
:SELinux is preventing qemu-system-i38 from using the 'execmem' accesses on a process.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that qemu-system-i38 should be allowed execmem access on processes labeled svirt_t by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep qemu-system-i38 /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:svirt_t:s0:c68,c970
:Target Context                unconfined_u:unconfined_r:svirt_t:s0:c68,c970
:Target Objects                 [ process ]
:Source                        qemu-system-i38
:Source Path                   qemu-system-i38
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-25.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.0-0.rc6.git0.2.fc18.i686.PAE
:                              #1 SMP Mon Sep 17 17:28:04 UTC 2012 i686 i686
:Alert Count                   1
:First Seen                    2012-10-02 16:35:06 CEST
:Last Seen                     2012-10-02 16:35:06 CEST
:Local ID                      5842b06c-cdae-4d3a-9673-40187dcb9565
:
:Raw Audit Messages
:type=AVC msg=audit(1349188506.231:407): avc:  denied  { execmem } for  pid=5166 comm="qemu-system-i38" scontext=unconfined_u:unconfined_r:svirt_t:s0:c68,c970 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c68,c970 tclass=process
:
:
:Hash: qemu-system-i38,svirt_t,svirt_t,process,execmem
:
:audit2allow
:
:#============= svirt_t ==============
:#!!!! This avc can be allowed using the boolean 'virt_use_execmem'
:
:allow svirt_t self:process execmem;
:
:audit2allow -R
:
:#============= svirt_t ==============
:#!!!! This avc can be allowed using the boolean 'virt_use_execmem'
:
:allow svirt_t self:process execmem;
:
Comment 1 Christophe Fergeau 2012-10-02 16:45:26 UTC 
Created attachment 620391 [details]
File: type
Comment 2 Christophe Fergeau 2012-10-02 16:45:35 UTC 
Created attachment 620392 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-10-04 09:22:58 UTC 
:#============= svirt_t ==============
:#!!!! This avc can be allowed using the boolean 'virt_use_execmem'
Comment 4 Christophe Fergeau 2012-10-04 09:42:03 UTC 
(In reply to comment #3)
> :#============= svirt_t ==============
> :#!!!! This avc can be allowed using the boolean 'virt_use_execmem'

Doesn't this mean that non-kvm qemus are broken out of the box, and that this is done on purpose? This does not sound great from a user point of view...
Comment 5 Francisco de la Peña 2012-11-09 02:32:27 UTC 
Since 3.5.4 Boxes allows to create QEMU VMs without KVM capabilities:

http://ftp.acc.umu.se/pub/GNOME/sources/gnome-boxes/3.5/gnome-boxes-3.5.4.news
Comment 6 Daniel Walsh 2012-11-09 14:12:27 UTC 
Well open this up for discussion on the virt list.  I don't care either way.   Allowing virt to use execmem, makes it more susceptable to buffer overflow attacks.  I guess we could have libvirt set the boolean when running a qemu process without kvm or select a different svirt label svirt_nokvm_t.
Comment 7 Daniel Berrangé 2012-11-09 16:55:15 UTC 
I would go for having a separate svirt label for non-KVM based QEMU.
Comment 8 Daniel Walsh 2012-11-13 14:21:43 UTC 
Ok I just checked changes into F18 policy to support to types svirt_t, and svirt_nokvm_t, only difference is execmem, and execstack for svirt_nokvm_t.

Context file has changed to include two labels.

cat virtual_domain_context 
system_u:system_r:svirt_t:s0
system_u:system_r:svirt_nokvm_t:s0

Now libvirt needs to change to be able to use the alternate label.
Comment 9 Jiri Eischmann 2012-11-20 22:50:00 UTC 
I was trying to create a virtual machine in Boxes.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)
Comment 10 Daniel Walsh 2012-11-21 10:45:32 UTC 
Jiri just turn on the boolean.
Comment 11 Cole Robinson 2012-12-12 14:59:14 UTC 

*** This bug has been marked as a duplicate of bug 885837 ***
Note You need to log in before you can comment on or make changes to this bug.