Unable to create new virt-manager vm with software TPM on Fedora 40

py0xc3 · April 24, 2024, 9:40pm

Interesting. I can reproduce an error. But I cannot even start VMs that already exist, it’s not just creating new ones. Both fails with the same error. I also don’t think this issue is limited to virt-manager, which itself is only an interface. It looks like something that is related to libvirt.

The last time I was using my VMs was indeed before upgrading to F40.

@zpytela I am not sure if that is relevant for you.

Here are some extracts from ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today and journalctl -r (root):

ausearch

type=AVC msg=audit(04/24/2024 23:22:11.260:847) : avc:  denied  { relabelfrom } for  pid=48709 comm=rpc-virtqemud name=6-Fedora-40-KDE dev="tmpfs" ino=4723 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1

journalctl

Apr 24 23:22:26 fedora.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:26 fedora.domain systemd[1]: setroubleshootd.service: Consumed 1.850s CPU time.
Apr 24 23:22:26 fedora.domain systemd[1]: setroubleshootd.service: Deactivated successfully.
Apr 24 23:22:25 fedora.domain systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@18.service: Consumed 1.833s CPU time.
Apr 24 23:22:25 fedora.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@18 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:25 fedora.domain systemd[1]: dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@18.service: Deactivated successfully.


Apr 24 23:22:16 fedora.domain setroubleshoot[48716]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 6-Fedora-40-KDE.
                                                        
                                                        *****  Plugin catchall (100. confidence) suggests   **************************
                                                        
                                                        If you believe that rpc-virtqemud should be allowed relabelfrom access on the 6-Fedora-40-KDE directory by default.
                                                        Then you should report this as a bug.
                                                        You can generate a local policy module to allow this access.
                                                        Do
                                                        allow this access for now by executing:
                                                        # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
                                                        # semodule -X 300 -i my-rpcvirtqemud.pp
                                                        
Apr 24 23:22:16 fedora.domain setroubleshoot[48716]: SELinux is preventing rpc-virtqemud from relabelfrom access on the directory 6-Fedora-40-KDE. For complete SELinux messages run: sealert -l cca8169d-9031-4765-9b6a-71645ad44a43
Apr 24 23:22:14 fedora.domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@18 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:14 fedora.domain systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@18.service.
Apr 24 23:22:13 fedora.domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:13 fedora.domain systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Apr 24 23:22:13 fedora.domain systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_CONTROL pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm op=start reason=booted vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 vm-pid=0 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=failed'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=vcpu reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 old-vcpu=0 new-vcpu=4 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=mem reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 old-mem=0 new-mem=8388608 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=rng reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 old-rng="?" new-rng="/dev/urandom" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=dev reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 bus=usb device=555342207265646972646576 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=dev reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 bus=usb device=555342207265646972646576 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=net reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 old-net="?" new-net="52:54:00:d1:41:99" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=fs reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 old-fs="?" new-fs="/home/username/someFolder/someFolder/" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_RESOURCE pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=disk reason=start vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 old-disk="?" new-disk="/var/lib/libvirt/images/Fedora-39-KDE.qcow2" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain virtqemud[45992]: Unable to open system token /run/libvirt/common/system.token: Permission denied
Apr 24 23:22:11 fedora.domain virtqemud[45992]: Unable to open system token /run/libvirt/common/system.token: Permission denied
Apr 24 23:22:11 fedora.domain audit[48709]: AVC avc:  denied  { relabelfrom } for  pid=48709 comm="rpc-virtqemud" name="6-Fedora-40-KDE" dev="tmpfs" ino=4723 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_MACHINE_ID pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 vm-ctx=+107:+107 img-ctx=+107:+107 model=dac exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'
Apr 24 23:22:11 fedora.domain audit[45992]: VIRT_MACHINE_ID pid=45992 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="Fedora-40-KDE" uuid=a7f5659c-a227-4b84-8440-f72f1d3c6a61 vm-ctx=system_u:system_r:svirt_t:s0:c582,c978 img-ctx=system_u:object_r:svirt_image_t:s0:c582,c978 model=selinux exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'

My own VM runs with sysadm_u (which worked fine on F39), but I assume @safforddr has a normal unconfined_u.

David, can you also provide extracts from the outputs of ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today and journalctl --boot=0 --no-hostname from the very time of an attempt plus the 15 seconds before and after? Feel free to anonymize the output.

By the way, thanks for bringing this up David

Topic		Replies	Views
Creating new VM with TPM using virt-manager results in SELinux-related error Ask Fedora selinux	16	1438	May 2, 2024
There are some issues with simulating TPM Ask Fedora kvm , libvirt , qemukvm	1	548	April 26, 2024
Talk: Cannot launch libvirt virtual machines after upgrade to Fedora 40 Ask Fedora	9	9525	May 2, 2024
Cannot launch libvirt virtual machines after upgrade to Fedora 40 Common Issues libvirt , virtualization , selinux , f40	1	2404	May 2, 2024
Virt Manager Quit Working (ibvirtError: can't connect to virtlogd) Ask Fedora	4	12952	April 19, 2024

Unable to create new virt-manager vm with software TPM on Fedora 40

Related topics