SELinux blocking libvirtd in Fedora 40

specked6341 · April 17, 2024, 2:35am

In Fedora 39, libvirtd work correctly, exactly as expected. But after rebasing to Fedora 40, I start seeting SELinux errors. When SELinux is enabled, trying to create or use a libvirtd VM fails with “Permission Denied” errors. As soon as I disable SELinux, everything works fine. This is not the case with Silverblue. In Silverblue, libvirtd works correctly with SELinux out of the box without needing to disable it.

The Bluefin just file for enabling Incus does specify that SELinux has to be disabled in order for Incus to work, however that’s also different from Silverblue. In Silverblue, Incus works out of the box without needing to disable SELinux.

Note that there were previous SELinux issues with Incus, but they’ve been resolved: LXD 5.19 removed SELinux workarounds. · Issue #41 · ganto/copr-lxc4 · GitHub

Someone else has a workaround for Incus but it’s not a great experience to have to do that:

This was all tested today with a fresh install of Silverblue and Bluefin, both of which were up to date.

f0nzie · April 17, 2024, 5:26pm

Maybe you should try installing Bluefin-DX. There are few kinks in Bluefin - in my experience - but definitely everything works in Bluefin-DX. I am still testing every environment. Virtual Manager works very reliably. Just don’t forget to activate the admin group for virtualization with ujust dx-group

specked6341 · April 17, 2024, 6:12pm

I didn’t specify but I am using Bluefin-DX. I’m added to the proper groups but it doesn’t make a difference, even root has the same problem.

This is a root shell, you can see that when SELinux is enabled, I’m unable to create a VM due to a virtlogd error. As soon as I disable SELinux, everything works correctly:

bash-5.2# sudo getenforce
Enforcing
bash-5.2# rpm-ostree status
State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
  ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:40
                   Digest: sha256:6c5fbf6d2c8da6094ebee8ff0104672275ef411c07f822f75609534c4721a14b
                  Version: 40.20240417.0 (2024-04-17T16:53:19Z)
                     Diff: 2 upgraded

● ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:40
                   Digest: sha256:c88b1f5d70f4ab6d1a9e85ae656fc3642ad93c8a1f935d80363752e5a224c8f8
                  Version: 40.20240416.0 (2024-04-16T21:36:48Z)

  ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:40
                   Digest: sha256:84138aacff6e2626b1348fbcc9de23a590371cbd50348029f9925496b7125df8
                  Version: 40.20240416.0 (2024-04-16T16:58:03Z)
bash-5.2# sudo virt-install --name debian12-vm --memory 2048 --vcpus=2 --cdrom=/tmp/debian-12.5.0-amd64-netinst.iso --os-variant=debian12 --disk size=20

Starting install...
Allocating 'debian12-vm.qcow2'                                                                                                                   | 3.2 MB  00:00:02 ... 
Removing disk 'debian12-vm.qcow2'                                                                                                                |    0 B  00:00:00     
ERROR    can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start debian12-vm
otherwise, please restart your installation.
bash-5.2# setenforce 0
bash-5.2# systemctl restart libvirtd virtlogd
bash-5.2# virt-install --name debian12-vm --memory 2048 --vcpus=2 --cdrom=/tmp/debian-12.5.0-amd64-netinst.iso --os-variant=debian12 --disk size=20

Starting install...
Allocating 'debian12-vm.qcow2'                                                                                                                            | 2.0 MB  00:00:00 ... 
Creating domain...                                                                                                                                        |    0 B  00:00:00     
Running graphical console command: virt-viewer --connect qemu:///system --wait debian12-vm

(virt-viewer:18240): GSpice-WARNING **: 14:08:18.814: Warning no automount-inhibiting implementation available

Domain is still running. Installation may be in progress.
You can reconnect to the console to complete the installation process.
bash-5.2#

I updated to Fedora 40 just to check if it made a difference and it didn’t, I see the same or similar errors with Fedora 39.

f0nzie · April 17, 2024, 7:21pm

I run your command in Bluefin-DX but with another ISO and Virt Manager works perfectly!

❯ sudo virt-install --name debian12-vm --memory 2048 --vcpus=2 --cdrom=/home/user/Downloads/latest-nixos-minimal-x86_64-linux.iso --os-variant=debian12 --disk size=20

Starting install...
Allocating 'debian12-vm.qcow2'                                                                                      |    0 B  00:00:00 ... 
Creating domain...                                                                                                  |    0 B  00:00:00     
Running graphical console command: virt-viewer --connect qemu:///system --wait debian12-vm

(virt-viewer:100922): GSpice-WARNING **: 14:18:54.835: Warning no automount-inhibiting implementation available

specked6341 · April 17, 2024, 9:06pm

You’re right! I got confused about when I tested. I just confirmed it works correctly in Fedora 39, but upon updating to Fedora 40 I start getting errors. Thanks for forcing me to retest!

akarypid · April 21, 2024, 8:32am

Is this still the case, or is it fixed? This is the only thing keeping me from testing 40 (I rolled back as I use virt manager daily).

specked6341 · April 21, 2024, 12:49pm

From my testing, I’m only seeing the problem with libvirtd when upgrading from 39 to 40. I generated an F40 iso and that seemed to work fine.

Incus still doesn’t work properly with SELinux in any case (but it does in Silverblue).

akarypid · April 21, 2024, 2:12pm

Hmmm, I haven’t gotten around to learning how to do this yet.

Did you do something special to fix it in your ISO, or does that means that building from the very latest Fedora 40 source repos has this “fixed”?

I’m just wondering if it’s fixed for everyone as the final release is around the corner, so I guess bluefin “latest” will start pointing to 40 soon.

akarypid · April 23, 2024, 9:00am

Seems like there is now a thread in Silverblue for this:

The suggested workaround is:

Doing a full system relabel may mitigate the problem (especially the inability to launch a VM at all). To do this, run the following from a console:

sudo touch /.autorelabel

and then restart the system. The entire filesystem will have its SELinux labels corrected. This takes some time - anywhere from five minutes to an hour or so…

I have not tried the workaround but after the official 40 release I will try it when my system updates. Hopefully it works, otherwise I will have to roll back to 39 and wait for this to be fixed.

dogphilosopher · April 23, 2024, 2:11pm

AFAIK, relabeling is not possible on an Atomic system because root is not writable. I will do some further testing and see if I can replicate the issue on Bluefin-DX 39 to 40 upgrade.

~~For now, a potential workaround for this is setting SELinux to permissive mode and see if that resolves the issue!~~

Looks like there is a potential workaround in this thread: 2272971 – Error starting domain: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permiso denegado

Thanks for reporting this!

akarypid · April 23, 2024, 3:50pm

Just providing the link to the specific comment with the workaround (I think you are referring to comment #11):

https://bugzilla.redhat.com/show_bug.cgi?id=2272971#c11

Basically the author claims:

After running fixfiles -R libvirt-daemon-driver-qemu,libvirt-daemon-log restore && systemctl restart virtqemud virtlogd the problem was fixed

Obviously the fix only works until you reboot:

After a reboot the problem reappeared (since the fixes were all in /run which is not persistent) - I will check the other packages to find a fix on the real file system

I can see myself adding a systemd startup command that runs late to fix these permission on every start to make sure things work (until a proper fix).

I will report here after I upgrade and manage to test this workaround.

Update - above workaround also doesn’t work, however:

I have found this issue is random. I’ve rebooted 5 times just now in a row, and first thing I did was immediately run virt-manager and start a VM. It worked 3 out of 5 times.

So basically, when you reboot, immediately try to start a VM and if it doesn’t work then reboot again and repeat until your system ends up in a working state. This is not ideal, but at least may allow you to work…

jarmez · July 3, 2024, 11:27am

I had this problem and tried a whole raft of different solutions. Apart from setting the system SELINUX to permissive mode (setenforce 0), what worked for me in the end ‘restorecon /var/lib/libvirt’ this worked and was persistent after reboot. I have had no issues since.

lethedata · July 9, 2024, 12:31am

Another folder that is not created and might need to be restoreconed is the /var/log/libvirt. Ran into it when dealing with vagrant today.

Here’s the issue in the bluefin repo since it hasn’t been mentioned yet.

github.com/ublue-os/bluefin

Libvirt can't create new VM (logging issue)

opened 03:37AM - 08 May 24 UTC

spacimek

dx aurora

### Describe the bug I would like to set up rather permanent Windows 11 VM, s…o I am trying to use libvirt along with its VM Manager. Here's the error: Unable to complete install: 'can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/XPS.log: Permission denied' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install installer.start_install(guest, meter=meter) File "/usr/share/virt-manager/virtinst/install/installer.py", line 695, in start_install domain = self._create_guest( ^^^^^^^^^^^^^^^^^^^ File "/usr/share/virt-manager/virtinst/install/installer.py", line 637, in _create_guest domain = self.conn.createXML(initial_xml or final_xml, 0) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.12/site-packages/libvirt.py", line 4529, in createXML raise libvirtError('virDomainCreateXML() failed') libvirt.libvirtError: can't connect to virtlogd: Unable to open file: /var/log/libvirt/qemu/XPS.log: Permission denied I tried to change the dir to 777, I even tried to touch the file, but it didn't help: ❯ ls -ltra /var/log/libvirt/qemu/ total 0 drwxrwxrwx. 1 root root 8 May 7 14:29 .. -rw-r--r--. 1 slavek slavek 0 May 7 14:32 XPS.log drwxrwxrwx. 1 root root 18 May 7 14:32 . I tried to go with manual setup as well as semi-automated ISO setup, both cases gave the same error. ### What did you expect to happen? I expect libvirt to start making my VM! ### Output of `rpm-ostree status` ```shell State: idle AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 1 day 1h ago Deployments: ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:5d64652fe35ea16c895962b31b4c41cfaeab904c392d99cce67cd3e99640ce83 Version: 40.20240506.0 (2024-05-06T16:53:28Z) Diff: 12 upgraded ● ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:8f5d5c70a409c581c25fc3d7bcc0be565a4bcc237030022fa63050244b7bfad2 Version: 40.20240505.0 (2024-05-05T16:51:55Z) ostree-image-signed:docker://ghcr.io/ublue-os/aurora-dx:latest Digest: sha256:e9d1f50e54f031f14c9edc34ecbff4e1762e46670694618b055af60830409c4d Version: 40.20240428.0 (2024-04-29T02:07:21Z) ``` ### Extra information or context I have disabled root account for the installation, if that makes any difference.

Topic		Replies	Views
LXD or incus without disabling SELinux on Bluefin? Bluefin and Aurora	2	299	March 24, 2024
Bluefin/Aurora is not working out for me. Why? General	4	954	April 20, 2024
Docker permission denied Bluefin and Aurora	4	423	July 13, 2024
Newbie questions on installing Mullvad VPN, VeraCrypt, MDADM, Double Commander General	9	246	October 10, 2024
Incus and Podman containers not starting at boot or login Bluefin and Aurora developer-experience	2	202	September 15, 2024

SELinux blocking libvirtd in Fedora 40

Update - above workaround also doesn’t work, however:

Related Topics