Good day Fedora Community,
On the 21st of August there were a number of updates applied, which
includes:
Aug 21 06:06:17 INFO Upgraded: systemd-libs-229-13.fc24.x86_64
Aug 21 06:06:28 INFO Upgraded: selinux-policy-3.13.1-191.12.fc24.noarch
Aug 21 06:06:34 INFO Upgraded: systemd-229-13.fc24.x86_64
Aug 21 06:06:41 INFO Upgraded: systemd-udev-229-13.fc24.x86_64
Aug 21 06:06:42 INFO Upgraded: firewalld-filesystem-0.4.3.3-1.fc24.noarch
Aug 21 06:06:49 INFO Upgraded: python3-firewall-0.4.3.3-1.fc24.noarch
Aug 21 06:07:02 INFO Upgraded: firewalld-0.4.3.3-1.fc24.noarch
Aug 21 06:07:12 INFO Upgraded: systemd-container-229-13.fc24.x86_64
Aug 21 06:07:20 INFO Upgraded:
selinux-policy-targeted-3.13.1-191.12.fc24.noarch
Aug 21 06:07:29 INFO Upgraded:
selinux-policy-devel-3.13.1-191.12.fc24.noarch
Aug 21 06:07:29 INFO Upgraded: systemd-compat-libs-229-13.fc24.x86_64
After this update I am not able to start any KVM vms with SELinux in
Enforcing mode, each time I try to start a vm I will get the following
error, "Error starting domain: SELinux policy denies access."
Checked the SELinux labels for /var/lib/libvirt/ and it all looks okay to
me.
drwx--x--x. 2 root root system_u:object_r:virt_content_t:s0 4096 Jul 19
02:42 boot
drwxr-xr-x. 2 root root system_u:object_r:virt_var_lib_t:s0 4096 Aug 25
16:23 dnsmasq
drwx--x--x. 2 root root system_u:object_r:virt_var_lib_t:s0 4096 Jul 19
02:42 filesystems
lrwxrwxrwx. 1 root root system_u:object_r:virt_image_t:s0 13 Jul 19
02:42 images -> /mnt/kvmstore
drwx------. 2 root root system_u:object_r:virt_var_lib_t:s0 4096 Jul 19
02:42 libxl
drwx------. 2 root root system_u:object_r:virt_var_lib_t:s0 4096 Jul 19
02:42 lxc
drwx------. 2 root root system_u:object_r:virt_var_lib_t:s0 4096 Jul 19
02:42 network
drwxr-x--x. 27 qemu qemu system_u:object_r:qemu_var_run_t:s0 4096 Aug 26
13:02 qemu
drwx------. 2 root root system_u:object_r:virt_var_lib_t:s0 4096 Jul 19
02:42 uml
drwx------. 2 root root system_u:object_r:virt_var_lib_t:s0 4096 Jul 19
02:42 xen
Used restorecron -R -v to the directory and it made no difference; however
I do see the below from the audit.log, which I am getting for each vm, I
noticed that its showing old and new for memory, vcpu Etc., but nothing was
changed on the actual vms.
type=VIRT_RESOURCE msg=audit(1472209871.046:34586): pid=1338 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk
reason=start vm="vm-f24-dev" uuid=72077648-c148-4121-97da-400baa4ce9f4
old-disk="?" new-disk="/var/lib/libvirt/images/vm-f24-dev.qcow2"
exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1472209871.046:34587): pid=1338 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net
reason=start vm="vm-f24-dev" uuid=72077648-c148-4121-97da-400baa4ce9f4
old-net="?" new-net="52:54:00:c2:e4:ca" exe="/usr/sbin/libvirtd" hostname=?
addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1472209871.046:34588): pid=1338 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=dev
reason=start vm="vm-f24-dev" uuid=72077648-c148-4121-97da-400baa4ce9f4
bus=usb device=555342207265646972646576 exe="/usr/sbin/libvirtd" hostname=?
addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1472209871.046:34589): pid=1338 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=dev
reason=start vm="vm-f24-dev" uuid=72077648-c148-4121-97da-400baa4ce9f4
bus=usb device=555342207265646972646576 exe="/usr/sbin/libvirtd" hostname=?
addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1472209871.046:34590): pid=1338 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=mem
reason=start vm="vm-f24-dev" uuid=72077648-c148-4121-97da-400baa4ce9f4
old-mem=0 new-mem=4194304 exe="/usr/sbin/libvirtd" hostname=? addr=?
terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1472209871.046:34591): pid=1338 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=vcpu
reason=start vm="vm-f24-dev" uuid=72077648-c148-4121-97da-400baa4ce9f4
old-vcpu=0 new-vcpu=2 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=?
res=success'
type=VIRT_CONTROL msg=audit(1472209871.046:34592): pid=1338 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm op=start
reason=booted vm="vm-f24-dev" uuid=72077648-c148-4121-97da-400baa4ce9f4
vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
Additionally, I have seen each time I use tab for word completion with
firewall-cmd I am being asked for my password for tab completion each time
I hit the tab key, if I enter my password completion will work and if I
don't I will get the following warning and will just sit there unless I
terminate it with ctrl+c
sudo firewall-cmd --add-sAuthorization failed.
Make sure polkit agent is running or run the application as superuser.
I have also confirmed that polkit.service is running.
systemctl -l status polkit.service
● polkit.service - Authorization Manager
Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor
preset: enabled)
Active: active (running) since Sun 2016-08-21 07:22:50 CEST; 5 days ago
Docs: man:polkit(8)
Main PID: 1237 (polkitd)
Tasks: 6 (limit: 512)
Memory: 4.1M
CPU: 1.517s
CGroup: /system.slice/polkit.service
└─1237 /usr/lib/polkit-1/polkitd --no-debug
Aug 26 09:42:43 rog-cc polkitd[1237]: Registered Authentication Agent for
unix-process:3544:44040824 (system bus name :1.1082 [/usr/bin/pkttyagent
--notify-fd 4
Aug 26 09:42:43 rog-cc polkitd[1237]: Unregistered Authentication Agent for
unix-process:3544:44040824 (system bus name :1.1082, object path
/org/freedesktop/Pol
Aug 26 09:54:38 rog-cc polkitd[1237]: Registered Authentication Agent for
unix-process:4162:44112284 (system bus name :1.1092 [/usr/bin/pkttyagent
--notify-fd 4
Aug 26 09:54:42 rog-cc polkitd[1237]: Operator of
unix-process:4162:44112284 successfully authenticated as unix-user:eramirez
to gain ONE-SHOT authorization for
Aug 26 09:54:42 rog-cc polkitd[1237]: Unregistered Authentication Agent for
unix-process:4162:44112284 (system bus name :1.1092, object path
/org/freedesktop/Pol
Aug 26 10:31:13 rog-cc polkitd[1237]: Registered Authentication Agent for
unix-process:5360:44331846 (system bus name :1.1109 [/usr/bin/pkttyagent
--notify-fd 4
Aug 26 10:31:17 rog-cc polkitd[1237]: Operator of
unix-process:5360:44331846 successfully authenticated as unix-user:eramirez
to gain ONE-SHOT authorization for
Aug 26 10:31:19 rog-cc polkitd[1237]: Unregistered Authentication Agent for
unix-process:5360:44331846 (system bus name :1.1109, object path
/org/freedesktop/Pol
Aug 26 13:03:00 rog-cc polkitd[1237]: Operator of unix-session:2
successfully authenticated as unix-user:eramirez to gain TEMPORARY
authorization for action org.
Aug 26 13:03:06 rog-cc polkitd[1237]: Operator of unix-session:2 FAILED to
authenticate to gain authorization for action
org.fedoraproject.FirewallD1.config for
Shall I file a bug for this?
--
Kind Regards
Earl Ramirez
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
