SELinux blocking instance from spawning
Issue
- After updating RHOSP to 16.1 new instances cannot be spawn
-
The following deny messages can befound in the audit log:
type=AVC msg=audit(1596552157.909:578): avc: denied { entrypoint } for pid=8860 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:syst em_r:svirt_t:s0:c141,c914 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0 type=AVC msg=audit(1596555374.210:1689): avc: denied { entrypoint } for pid=18428 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u:sy stem_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1 type=AVC msg=audit(1596555374.210:1689): avc: denied { read write } for pid=18428 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=11765 scontext=system_u:syst em_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1596555374.210:1689): avc: denied { read execute } for pid=18428 comm="qemu-kvm" path="/usr/libexec/qemu-kvm" dev="overlay" ino=137413 scontext=system_u: system_r:svirt_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1 type=AVC msg=audit(1596555374.225:1690): avc: denied { open } for pid=18428 comm="qemu-kvm" path="/etc/ld.so.cache" dev="overlay" ino=117069 scontext=system_u:system_r:svir t_t:s0:c316,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=1 type=AVC msg=audit(1596555374.225:1691): avc: denied { read } for pid=18428 comm="qemu-kvm" name="lib64" dev="overlay" ino=117065 scontext=system_u:system_r:svirt_t:s0:c316 ,c469 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=lnk_file permissive=1 type=AVC msg=audit(1596555374.525:1692): avc: denied { read } for pid=18428 comm="qemu-kvm" name="/" dev="overlay" ino=116647 scontext=system_u:system_r:svirt_t:s0:c316,c46 9 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=dir permissive=1 type=AVC msg=audit(1596562587.232:1911): avc: denied { entrypoint } for pid=20925 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=144355 scontext=system_u:sy stem_r:svirt_t:s0:c970,c979 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0 type=AVC msg=audit(1596563775.829:2316): avc: denied { entrypoint } for pid=24507 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="overlay" ino=144355 scontext=system_u:sy stem_r:svirt_t:s0:c337,c866 tcontext=system_u:object_r:container_file_t:s0:c143,c388 tclass=file permissive=0
-
The traceback from nova looks like this:
Instance failed to spawn: libvirt.libvirtError: internal error: process exited while conne cting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2663, in _build_resources yield resources File "/usr/lib/python3.6/site-packages/nova/compute/manager.py", line 2437, in _build_and_run_instance block_device_info=block_device_info) [...Output omitted...] ibvirt.libvirtError: internal error: process exited while connecting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied
Environment
- Red Hat Openstack Platform (RHOSP) 16.1
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.