Wind River Support Network

HomeDefectsOVP-493
Fixed

OVP-493 : libvirt start vm failed with tap when selinux in enforcing mode

Created: Jul 28, 2013    Updated: Mar 11, 2016
Resolved Date: Oct 9, 2013
Found In Version: 5.0.1
Fix Version: 5.0.1.8
Severity: Severe
Applicable for: Wind River Linux 5
Component/s: Userspace

Description

test on latest spin, use ovp-ovirt-node image, libvirt start vm failed with tap when selinux in enforcing mode.
The error message same with defect WIND00421670 

root@localhost:~# cat test.xml 
<domain type='kvm'>
  <name>vm1</name>
  <memory>1024000</memory>
  <currentMemory>512000</currentMemory>
  <vcpu>2</vcpu>
  <cpu>
      <arch>x86_64</arch>
      <model>Nehalem</model>
      <vendor>Intel</vendor>
  </cpu>
  <os>
    <type>hvm</type>
    <boot dev='hd' />
    <kernel>/var/lib/libvirt/boot/guest.kernel</kernel>
    <cmdline>console=ttyS0 root=/dev/vda rw ip=dhcp</cmdline>
  </os>
  <devices>
    <disk type='file' device='disk'>
      <source file='/var/lib/libvirt/images/guest_raw.img' />
      <target dev='vda' bus='virtio'/>
    </disk>
    <serial type='file'>
      <source path='/tmp/macvtap_libvirt-serial.log'/>
      <target port='0'/>
    </serial>
    <console type='file'>
      <source path='/tmp/macvtap_libvirt-serial.log'/>
      <target type='serial' port='0'/>
    </console>
    <interface type='direct'>
        <mac address='de:ef:be:bd:a1:d0' />
        <source dev='eth0' mode='bridge' />
        <model type='virtio' />
    </interface>
    <interface type='ethernet'>
      <mac address='de:ef:be:92:63:fa'/>
      <target dev='tap0'/>
      <model type='virtio' />
      <script path='/etc/qemu-ifup.tap'/>
    </interface> 
  </devices>
</domain>
root@localhost:~# 
root@localhost:~# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             wr-targeted-ovp-host-isolation
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      26
root@localhost:~# virsh 
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # define test.xml 
Domain vm1 defined from test.xml

virsh # start vm1
error: Failed to start domain vm1
error: internal error process exited while connecting to monitor: kvm: -netdev tap,ifname=tap0,script=/etc/qemu-ifup.tap,id=hostnet1,vhost=on,vhostfd=25: could not configure /dev/net/tun (tap0): Operation not permitted
kvm: -netdev tap,ifname=tap0,script=/etc/qemu-ifup.tap,id=hostnet1,vhost=on,vhostfd=25: Device 'tap' could not be initialized


virsh #

Steps to Reproduce

please see "Symptom Details"
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube