Newest error when trying to create a new VM
Details show
Unable to complete install: ‘internal error: QEMU unexpectedly closed the monitor (vm=‘fedora-coreos-stable’): 2025-12-28T13:57:54.709354Z qemu-system-x86_64: -blockdev {“driver”:“file”,“filename”:“/var/data/images/Linux/fedora-coreos-43.20251120.3.0-live-iso.x86_64.iso”,“node-name”:“libvirt-1-storage”,“read-only”:true}: Could not open ‘/var/data/images/Linux/fedora-coreos-43.20251120.3.0-live-iso.x86_64.iso’: Permission denied’
Traceback (most recent call last):
File “/usr/share/virt-manager/virtManager/asyncjob.py”, line 67, in cb_wrapper
callback(asyncjob, *args, **kwargs)
~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/share/virt-manager/virtManager/createvm.py”, line 1969, in _do_async_install
installer.start_install(guest, meter=meter)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
File “/usr/share/virt-manager/virtinst/install/installer.py”, line 722, in start_install
domain = self._create_guest(guest, meter, initial_xml, final_xml, doboot, transient)
File “/usr/share/virt-manager/virtinst/install/installer.py”, line 664, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
File “/usr/lib64/python3.14/site-packages/libvirt.py”, line 4594, in createXML
raise libvirtError(‘virDomainCreateXML() failed’)
libvirt.libvirtError: internal error: QEMU unexpectedly closed the monitor (vm=‘fedora-coreos-stable’): 2025-12-28T13:57:54.709354Z qemu-system-x86_64: -blockdev {“driver”:“file”,“filename”:“/var/data/images/Linux/fedora-coreos-43.20251120.3.0-live-iso.x86_64.iso”,“node-name”:“libvirt-1-storage”,“read-only”:true}: Could not open ‘/var/data/images/Linux/fedora-coreos-43.20251120.3.0-live-iso.x86_64.iso’: Permission denied
Not sure if this is related
Dec 28 14:57:57 hogwart setroubleshoot[10381]: SELinux is preventing udev-event from using the dac_override capability. For complete SELinux messages run: sealert -l 05855275-cccf-4f0a-9d7b->
Dec 28 14:57:57 hogwart setroubleshoot[10381]: SELinux is preventing udev-event from using the dac_override capability.
EDIT
sealert -l 05855275-cccf-4f0a-9d7b-b06eca9ec649
gives
SELinux is preventing udev-event from using the dac_override capability.
***** Plugin dac_override (91.4 confidence) suggests **********************
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do
Turn on full auditing
auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
***** Plugin catchall (9.59 confidence) suggests **************************
If you believe that udev-event should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c ‘udev-event’ --raw | audit2allow -M my-udevevent
semodule -X 300 -i my-udevevent.pp
Additional Information:
Source Context system_u:system_r:virtnodedevd_t:s0
Target Context system_u:system_r:virtnodedevd_t:s0
Target Objects Unknown [ capability ]
Source udev-event
Source Path udev-event
Port
Host hogwart
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-42.19-1.fc43.noarch
Local Policy RPM
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name hogwart
Platform Linux hogwart 6.17.8-300.fc43.x86_64 #1 SMP
PREEMPT_DYNAMIC Fri Nov 14 01:47:12 UTC 2025
x86_64
Alert Count 59
First Seen 2025-11-28 13:21:43 CET
Last Seen 2025-12-28 15:08:08 CET
Local ID 05855275-cccf-4f0a-9d7b-b06eca9ec649
Raw Audit Messages
type=AVC msg=audit(1766930888.47:296): avc: denied { dac_override } for pid=4941 comm=“udev-event” capability=1 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
Hash: udev-event,virtnodedevd_t,virtnodedevd_t,capability,dac_override
Yes, this is the cause. Setting SELinux to Permissive and I can create the VM
