Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 596628 - SELinux is preventing /usr/sbin/libvirtd "transition" access on /usr/bin/qemu-kvm.
Summary: SELinux is preventing /usr/sbin/libvirtd "transition" access on /usr/bin...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:008a80416c0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-27 07:22 UTC by Catalin BOIE
Modified: 2010-11-10 14:04 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-01 13:54:40 UTC


Attachments (Terms of Use)

Description Catalin BOIE 2010-05-27 07:22:49 UTC
Summary:

SELinux is preventing /usr/sbin/libvirtd "transition" access on
/usr/bin/qemu-kvm.

Detailed Description:

SELinux denied access requested by libvirtd. It is not expected that this access
is required by libvirtd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:unconfined_execmem_t:s0-s0:c
                              0.c1023
Target Context                system_u:system_r:svirt_t:s0:c389,c473
Target Objects                /usr/bin/qemu-kvm [ process ]
Source                        libvirtd
Source Path                   /usr/sbin/libvirtd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libvirt-0.7.7-3.fc13
Target RPM Packages           qemu-system-x86-0.12.3-8.fc13
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.4-95.fc13.x86_64 #1 SMP Thu May
                              13 05:16:23 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 27 May 2010 10:21:22 AM EEST
Last Seen                     Thu 27 May 2010 10:21:22 AM EEST
Local ID                      41dd61ea-655b-491e-9616-fc93b5b7e00b
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274944882.461:29058): avc:  denied  { transition } for  pid=11849 comm="libvirtd" path="/usr/bin/qemu-kvm" dev=dm-0 ino=14462942 scontext=unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c389,c473 tclass=process

node=(removed) type=SYSCALL msg=audit(1274944882.461:29058): arch=c000003e syscall=59 success=no exit=-13 a0=7f9594025020 a1=7f959401c9d0 a2=7f9594024f10 a3=18 items=0 ppid=1 pid=11849 auid=500 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=1 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,libvirtd,unconfined_execmem_t,svirt_t,process,transition
audit2allow suggests:

#============= unconfined_execmem_t ==============
allow unconfined_execmem_t svirt_t:process transition;

Comment 1 Daniel Walsh 2010-05-27 14:05:36 UTC
Why is libvirtd running as unconfined_execmem_t?  How did you start libvirt?

Comment 2 Uri Sivan 2010-05-29 14:03:36 UTC
This happened to me too. Here's how to do this:

1. Install libvirt for the first time.

2. Start libvirtd manually with "service libvirtd start"

3. The following errors appear in /var/log/messages:

May 29 16:47:38 luggage libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab: No such file or directory
May 29 16:47:39 luggage libvirtd: 16:47:39.154: warning : qemudStartup:1150 : Unable to create cgroup for driver: No such device or address
May 29 16:47:39 luggage kernel: lo: Disabled Privacy Extensions
May 29 16:47:39 luggage kernel: sit0: Disabled Privacy Extensions
May 29 16:47:39 luggage libvirtd: 16:47:39.404: warning : lxcStartup:1748 : Unable to create cgroup for driver: No such device or address

4. Trying to create a VM, the selinux error appears.

5. Rebooting solves this.

Comment 3 Catalin BOIE 2010-05-31 06:15:24 UTC
Daniel, was a "manual" start and that broken the things. So, please ignore me.

Comment 4 Daniel Walsh 2010-06-01 13:54:40 UTC
Uri, when you login, and become root what is your context?

id -Z

If you have libvirtd running as unconfined_execmem_t, I think something strange is going on.

If you can get this to happen again please reopen this bug.


Note You need to log in before you can comment on or make changes to this bug.