selinux blocks libvirt from spawning instances
Bug #1661500 reported by
Chris Liles
This bug report is a duplicate of:
Bug #1797277: SELinux is disabled for Kolla deployments.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
On docker 1.13.0 with a fresh install from master I am unable to spawn any instances.
Disabling selinux is a workaround.
Centos 7 with binary.
Attached is nova and audit logs.
Changed in kolla-ansible: | |
status: | New → Confirmed |
To post a comment you must log in.
This seems like a selinux bug in selinux-policy or docker-selinux.
type=USER_AVC msg=audit( 1486115407. 138:914) : pid=656 uid=81 auid=4294967295 ses=4294967295 subj=system_ u:system_ r:system_ dbusd_t: s0-s0:c0. c1023 msg='avc: denied { send_msg } for msgtype= method_ return dest=:1.27 spid=10615 tpid=17369 scontext= system_ u:system_ r:systemd_ machined_ t:s0 tcontext= system_ u:system_ r:spc_t: s0 tclass=dbus exe="/usr/ bin/dbus- daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
I was able to fix it doing the following steps: policy policy. pp
#check what selinux recomendations to apply.
audit2allow -a
#Create a custom selinux policy
audit2allow -a -M custompmachined
#Apply new policy
semodule -i custompmachined