SELinux context issue with rpc-virtqemud

Ask Fedora
, , ,
1

Hi all,

I was trying out some virtualization this weekend trying to get virt-manager flatpak running (unsuccessfully). Though somehow that messed up permissions somewhere and I’m unsure where to look.

I’m running a cockpit VM that just exists:

Cockpit bots/vm-run 
📦[spytec@cockpit]/var/home/spytec/projects/cockpit/cockpit% bots/vm-run -s cockpit.socket fedora-41 -v
qemu-img create -q -f qcow2 -b /var/home/spytec/projects/cockpit/cockpit/test/images/fedora-41 -F qcow2 /run/host/var/tmp/bots-run/cockpit-xb_353l0.qcow2
+ ! test -f /run/nologin && cat /proc/sys/kernel/random/boot_id
# systemctl enable --now cockpit.socket
+ systemctl enable --now cockpit.socket
Created symlink '/etc/systemd/system/sockets.target.wants/cockpit.socket' → '/usr/lib/systemd/system/cockpit.socket'.

SSH ACCESS
  $ ssh -p 2201 -i bots/machine/identity root@127.0.0.2

COCKPIT
  https://127.0.0.2:9091
  Username: admin
  Password: foobar

[ ^C to terminate ]
📦[spytec@cockpit]/var/home/spytec/projects/cockpit/cockpit%

That should create a VM for me, but journalctl says:

journalctl -f 
mar 10 14:06:05 sabre audit[20210]: USER_START pid=20210 uid=1000 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
mar 10 14:06:05 sabre systemd[20303]: Created slice session.slice - User Core Session Slice.
mar 10 14:06:05 sabre systemd[20303]: Starting dbus-broker.service - D-Bus User Message Bus...
mar 10 14:06:05 sabre dbus-broker-launch[20326]: Policy to allow eavesdropping in /usr/share/dbus-1/session.conf +31: Eavesdropping is deprecated and ignored
mar 10 14:06:05 sabre dbus-broker-launch[20326]: Policy to allow eavesdropping in /usr/share/dbus-1/session.conf +33: Eavesdropping is deprecated and ignored
mar 10 14:06:05 sabre systemd[20303]: Started dbus-broker.service - D-Bus User Message Bus.
mar 10 14:06:05 sabre dbus-broker-launch[20326]: Ready
mar 10 14:06:08 sabre virtqemud[20418]: libvirt version: 10.1.0, package: 4.fc40 (Fedora Project, 2024-08-27-14:14:13, )
mar 10 14:06:08 sabre virtqemud[20418]: hostname: sabre
mar 10 14:06:08 sabre virtqemud[20418]: internal error: Unable to get system bus connection: Could not connect: No such file or directory
mar 10 14:06:09 sabre virtqemud[20418]: Domain id=1 name='fedora-41-127.0.0.2-2201' uuid=ac5e05a9-6131-4126-80d4-31cb78d4c135 is tainted: custom-argv
mar 10 14:06:14 sabre systemd[1]: flatpak-system-helper.service: Deactivated successfully.
mar 10 14:06:14 sabre audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=flatpak-system-helper comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
mar 10 14:06:16 sabre virtqemud[20418]: missing device in NIC_RX_FILTER_CHANGED event
mar 10 14:06:16 sabre virtqemud[20418]: missing device in NIC_RX_FILTER_CHANGED event
mar 10 14:06:21 sabre systemd[1]: Starting virtqemud.service - libvirt QEMU daemon...
mar 10 14:06:21 sabre systemd[1]: Started virtqemud.service - libvirt QEMU daemon.
mar 10 14:06:21 sabre audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtqemud comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
mar 10 14:06:21 sabre audit[20770]: AVC avc:  denied  { search } for  pid=20770 comm="rpc-virtqemud" name="20765" dev="proc" ino=110753 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:unconfined_r:spc_t:s0 tclass=dir permissive=1
mar 10 14:06:21 sabre audit[20770]: AVC avc:  denied  { read } for  pid=20770 comm="rpc-virtqemud" name="stat" dev="proc" ino=98259 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:unconfined_r:spc_t:s0 tclass=file permissive=1
mar 10 14:06:21 sabre audit[20770]: AVC avc:  denied  { open } for  pid=20770 comm="rpc-virtqemud" path="/proc/20765/stat" dev="proc" ino=98259 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:unconfined_r:spc_t:s0 tclass=file permissive=1
mar 10 14:06:23 sabre systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
mar 10 14:06:23 sabre systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
mar 10 14:06:23 sabre audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
mar 10 14:06:23 sabre systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@2.service.
mar 10 14:06:23 sabre audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
mar 10 14:06:24 sabre SetroubleshootPrivileged.py[20853]: failed to retrieve rpm info for path '/etc/selinux/targeted/active/modules/100/virt':
mar 10 14:06:24 sabre setroubleshoot[20816]: SELinux is preventing rpc-virtqemud from search access on the directory 20765. For complete SELinux messages run: sealert -l 01ade45a-f9e2-4a33-8561-cd7ea203c8b5
mar 10 14:06:24 sabre setroubleshoot[20816]: SELinux is preventing rpc-virtqemud from search access on the directory 20765.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that rpc-virtqemud should be allowed search access on the 20765 directory by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
                                             # semodule -X 300 -i my-rpcvirtqemud.pp

mar 10 14:06:24 sabre setroubleshoot[20816]: SELinux is preventing rpc-virtqemud from read access on the file stat. For complete SELinux messages run: sealert -l a512a410-6c68-4037-af79-df206ceeadd1
mar 10 14:06:24 sabre setroubleshoot[20816]: SELinux is preventing rpc-virtqemud from read access on the file stat.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that rpc-virtqemud should be allowed read access on the stat file by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
                                             # semodule -X 300 -i my-rpcvirtqemud.pp

mar 10 14:06:24 sabre setroubleshoot[20816]: SELinux is preventing rpc-virtqemud from open access on the file /proc/<pid>/stat. For complete SELinux messages run: sealert -l 1cbc196c-c256-45e3-bf33-c94cae64f76c
mar 10 14:06:24 sabre setroubleshoot[20816]: SELinux is preventing rpc-virtqemud from open access on the file /proc/<pid>/stat.

                                             *****  Plugin catchall (100. confidence) suggests   **************************

                                             If you believe that rpc-virtqemud should be allowed open access on the stat file by default.
                                             Then you should report this as a bug.
                                             You can generate a local policy module to allow this access.
                                             Do
                                             allow this access for now by executing:
                                             # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
                                             # semodule -X 300 -i my-rpcvirtqemud.pp

Checking one of the errors with sealert gives me this

sealert -l 01ade45a-f9e2-4a33-8561-cd7ea203c8b5 
~/projects/cockpit
❯ sealert -l 01ade45a-f9e2-4a33-8561-cd7ea203c8b5
SELinux is preventing rpc-virtqemud from search access on the directory 20765.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rpc-virtqemud should be allowed search access on the 20765 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
# semodule -X 300 -i my-rpcvirtqemud.pp


Additional Information:
Source Context                system_u:system_r:virtqemud_t:s0
Target Context                unconfined_u:unconfined_r:spc_t:s0
Target Objects                20765 [ dir ]
Source                        rpc-virtqemud
Source Path                   rpc-virtqemud
Port                          <Unknown>
Host                          sabre
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-41.33-1.fc41.noarch
Local Policy RPM
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sabre
Platform                      Linux sabre 6.13.5-102.bazzite.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Feb 28 10:23:59 UTC 2025
                              x86_64
Alert Count                   9
First Seen                    2025-03-10 12:53:51 CET
Last Seen                     2025-03-10 14:06:21 CET
Local ID                      01ade45a-f9e2-4a33-8561-cd7ea203c8b5

Raw Audit Messages
type=AVC msg=audit(1741611981.227:360): avc:  denied  { search } for  pid=20770 comm="rpc-virtqemud" name="20765" dev="proc" ino=110753 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:unconfined_r:spc_t:s0 tclass=dir permissive=1


Hash: rpc-virtqemud,virtqemud_t,spc_t,dir,search

Any ideas where to look?

2

Are you using virt-manager from the Fedora Flatpak repo or the one from Flathub?

The one from Flathub (Install Virtual Machine Manager on Linux | Flathub) comes with an extension to run everything as user. I don’t know if the Fedora one has everything in.

If you are using a system session, then you need either the libvirt packages overlayed on your system (Overlaying libvirt on Silverblue / Kinoite / Sericea / Onyx and CoreOS) or use the sysext: GitHub - travier/fedora-sysexts: Example sysexts for Fedora image based systems

3

Problem isn’t specifically with virtual manager but occurred after I installed that and tried to fix the kvm/qemu connection it claimed to be lacking. Tried both Fedora and Flathub variants of virt-manager. To try and fix it yesterday I ran sudo dnf5 install @virtualization which didn’t work due to some DB issue.

Possible dnf5 group bug 
$ sudo dnf5 install @virtualization
...
[94/94] Total                                              100% |   0.0   B/s |   0.0   B |  00m00s
Running transaction
SQL statement evaluation failed: "
    INSERT INTO
        "trans" (
            "dt_begin",
            "dt_end",
            "rpmdb_version_begin",
            "rpmdb_version_end",
            "releasever",
            "user_id",
            "description",
            "comment",
            "state_id",
            "id"
        )
        VALUES
            (1741614020, 0, 'ba3ed13ee06014709856999775183192b6ff2f0e5f371f8a3407d887b17199df', '', '41', 1000, 'dnf5 install @virtualization', '', (SELECT "id" FROM "trans_state" WHERE "name" = 'Started'), NULL)
": (8) - attempt to write a readonly database

And then I followed RISC-V QEMU guide somewhat and ran these commands:

$ sudo dnf5 install \
          libvirt-daemon-driver-qemu \
          libvirt-daemon-driver-storage-core \
          libvirt-daemon-driver-network \
          libvirt-daemon-config-network \
          libvirt-client \
          virt-install \
          qemu-system-riscv-core \
          edk2-riscv64
$ sudo usermod -a -G libvirt $(whoami)
$ mkdir -p ~/.config/libvirt && \
  echo 'uri_default = "qemu:///system"' >~/.config/libvirt/libvirt.conf

So me setting up cockpit development VMs did work before without any issues so it is some human error I’ve created (or some bug somewhere happened just as I was experimenting but lets assume human error first)

4

You’ve tag this post with Atomic Desktops. What variant are you using? If you are indeed on an Atomic Desktop, then running dnf5 directly will not work, you have to use rpm-ostree instead.

The add a user to a system group, you might have to do: Troubleshooting :: Fedora Docs

5

Seems like the libvirt was already in /etc/groups but removed that and reran the commands in the troubleshooting

❯ groups
spytec wheel libvirt ollama plugdev

I’m running Fedora Silverblue, specifically bootc Bazzite variant GitHub - Venefilyn/veneos: Bootable container OS for myself

I tried rerunning the command in with rpm-ostree install as well but still no change to the behaviour.

I wonder if the unit file plays a role as this is started around the same time?

❯ systemctl status virtqemud.service
○ virtqemud.service - libvirt QEMU daemon
     Loaded: loaded (/usr/lib/systemd/system/virtqemud.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead) since Mon 2025-03-10 15:22:35 CET; 7s ago
   Duration: 2min 95ms
 Invocation: c783d4336eed4c1385816ecaa4e74f4d
TriggeredBy: ● virtqemud-admin.socket
             ● virtqemud.socket
             ● virtqemud-ro.socket
       Docs: man:virtqemud(8)
             https://libvirt.org/
    Process: 17068 ExecStart=/usr/sbin/virtqemud $VIRTQEMUD_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 17068 (code=exited, status=0/SUCCESS)
   Mem peak: 6.1M
        CPU: 28ms

mar 10 15:20:35 sabre systemd[1]: Starting virtqemud.service - libvirt QEMU daemon...
mar 10 15:20:35 sabre systemd[1]: Started virtqemud.service - libvirt QEMU daemon.
mar 10 15:22:35 sabre systemd[1]: virtqemud.service: Deactivated successfully.
6

Aha so it seems the step in the RISC-V guide did cause it with the libvirt config pointing to system. Changing that and Cockpit dev VM works

Testing out system and that also works fine in virt manager now :pray:

image
image1350×978 44.7 KB