SELinux blocking instance from spawning

Solution Unverified - Updated -

Issue

  • After updating RHOSP to 16.1 new instances cannot be spawn

  • The following deny messages can befound in the audit log:

    type=AVC msg=audit(1596552157.909:578): avc:  denied  { entrypoint } for  pid=8860 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:syst
em_r:svirt_t:s0:c141,c914 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0
type=AVC msg=audit(1596555374.210:1689): avc:  denied  { entrypoint } for  pid=18428 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:sy
stem_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1
type=AVC msg=audit(1596555374.210:1689): avc:  denied  { read write } for  pid=18428 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=11765 scontext=system_u:syst
em_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1596555374.210:1689): avc:  denied  { read execute } for  pid=18428 comm="qemu-kvm" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:
system_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1
type=AVC msg=audit(1596555374.225:1690): avc:  denied  { open } for  pid=18428 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=117069 scontext=system_u:system_r:svir
t_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1
type=AVC msg=audit(1596555374.225:1691): avc:  denied  { read } for  pid=18428 comm="qemu-kvm" name="lib64" dev="overlay" ino=117065 scontext=system_u:system_r:svirt_t:s0:c316
,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=lnk_file permissive=1
type=AVC msg=audit(1596555374.525:1692): avc:  denied  { read } for  pid=18428 comm="qemu-kvm" name="/" dev="overlay" ino=116647 scontext=system_u:system_r:svirt_t:s0:c316,c46
9 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=dir permissive=1
type=AVC msg=audit(1596562587.232:1911): avc:  denied  { entrypoint } for  pid=20925 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=144355 scontext=system_u:sy
stem_r:svirt_t:s0:c970,c979 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0
type=AVC msg=audit(1596563775.829:2316): avc:  denied  { entrypoint } for  pid=24507 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=144355 scontext=system_u:sy
stem_r:svirt_t:s0:c337,c866 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0

  • The traceback from nova looks like this:

    Instance failed to spawn: libvirt.libvirtError: internal error: process exited while conne
cting to monitor: libvirt:  error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2663, in _build_resources
  yield resources
File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2437, in _build_and_run_instance
  block_device_info=block_device_info)
[...Output omitted...]
ibvirt.libvirtError: internal error: process exited while connecting to monitor: libvirt:  error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied

Environment

  • Red Hat Openstack Platform (RHOSP) 16.1

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content