Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 443630 - SELinux + >app-emulation/libvirt-0.9.13-r1 - Segfault starting qemu domains.
Summary: SELinux + >app-emulation/libvirt-0.9.13-r1 - Segfault starting qemu domains.
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal critical (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-17 13:39 UTC by Martin
Modified: 2014-02-02 11:37 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
backtrace of libvirt (backtrace.log,15.41 KB, text/plain)
2012-11-17 13:47 UTC, Martin
Details
strace -f libvirtd (libvirt.10.2r3.strace-f.gz,630.52 KB, application/x-gzip)
2012-11-17 14:03 UTC, Martin
Details
dmesg of run_init libvirt 0.10.2-r3 (dmesg libvirt 0.10.2-r3,4.76 KB, text/plain)
2012-11-24 09:02 UTC, Martin
Details
dmesg of starting qemu with libvirt 0.9.13-r1 (dmesg libvirt 0.9.13-r1 starting qemu,1.55 KB, text/plain)
2012-11-24 09:02 UTC, Martin
Details
libvirt 1.0.0, semodule -DB, enforce=1 (20130101_dmesg-enforce1-DB.txt,32.41 KB, text/plain)
2013-01-01 12:36 UTC, Martin
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin 2012-11-17 13:39:23 UTC
libvirt 0.9.13-r1 works fine. 

Starting libvirt 0.10.2-r3 or 1.0.0 succeeds and using virsh for, e.g. editing domains does work. As soon as a qemu domain is started, libvirt segfaults.



Reproducible: Always

Steps to Reproduce:
1. /etc/init.d/libvirtd start
2. virsh start myQemuDomain
Actual Results:  
output of virsh:

error: Failed to start domain myQemuDomain
error: End of file while reading data: Input/output error
error: Failed to reconnect to the hypervisor

Expected Results:  
starting the domain

working:
============
[ebuild   R    ] app-emulation/qemu-1.1.2-r2  USE="aio caps curl jpeg ncurses png python threads uuid vhost-net vnc -alsa -bluetooth -brltty -debug -doc -fdt -mixemu -opengl -pulseaudio -rbd -sasl -sdl -smartcard -spice -static -systemtap -tci -tls -usbredir -vde -virtfs -xattr -xen -xfs" QEMU_SOFTMMU_TARGETS="x86_64 -alpha -arm -cris -i386 -lm32 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -ppc -ppc64 -ppcemb -s390x -sh4 -sh4eb -sparc -sparc64 -xtensa -xtensaeb" QEMU_USER_TARGETS="x86_64 -alpha -arm -armeb -cris -i386 -m68k -microblaze -microblazeel -mips -mipsel -ppc -ppc64 -ppc64abi32 -s390x -sh4 -sh4eb -sparc -sparc32plus -sparc64 -unicore32" 0 kB
[ebuild   R    ] app-emulation/libvirt-0.9.13-r1  USE="caps libvirtd nls numa python qemu (selinux) udev virt-network -audit -avahi -debug -iscsi -lvm -lxc -macvtap -nfs -openvz -parted -pcap -phyp -policykit -rbd -sasl -uml -vepa -virtualbox -xen" 0 kB


not working:
============
[ebuild     U ~] app-emulation/libvirt-1.0.0 [0.9.13-r1] USE="caps libvirtd nls numa python qemu (selinux) udev virt-network -audit -avahi -debug -firewalld% -iscsi -lvm -lxc -macvtap -nfs -openvz -parted -pcap -phyp -policykit -rbd -sasl -uml -vepa -virtualbox -xen" 0 kB

[ebuild     U  ] app-emulation/libvirt-0.10.2-r3 [0.9.13-r1] USE="caps libvirtd nls numa python qemu (selinux) udev virt-network -audit -avahi -debug -iscsi -lvm -lxc -macvtap -nfs -openvz -parted -pcap -phyp -policykit -rbd -sasl -uml -vepa -virtualbox -xen" 0 kB
Comment 1 Martin 2012-11-17 13:41:16 UTC
Portage 2.1.11.31 (hardened/linux/amd64/no-multilib/selinux, gcc-4.5.4, glibc-2.15-r3, 3.5.4-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.5.4-hardened-r1-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.1
Timestamp of tree: Sat, 17 Nov 2012 01:45:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.68
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="rsync://de-mirror.org/gentoo/ http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j9"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="amd64 berkdb bzip2 cli cracklib crypt cups cxx dbus dri fuse gdbm gnutls gpm hardened iconv ipv6 justify mmx modules mudflap ncurses nls nptl open_perms openmp pam pax_kernel pcre perl pppd python readline selinux session sse sse2 ssl tcpd unicode urandom zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 2 Martin 2012-11-17 13:47:41 UTC
Created attachment 329710 [details]
backtrace of libvirt

libvirt with -ggdb
Comment 3 Martin 2012-11-17 14:03:39 UTC
Created attachment 329720 [details]
strace -f libvirtd
Comment 4 Doug Goldstein gentoo-dev 2012-11-18 07:35:12 UTC
This is a SELinux issue with marking a file or a task with a specific permission. I'm unfortunately not very familiar with how to debug or track this down so you'll have to get the Gentoo SELinux guys to help.

I also don't run any Gentoo SELinux machines so I won't really be able to help debug this.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 09:09:49 UTC
Do you notice any errors in the dmesg output and in the SELinux denial logs?
Comment 6 Martin 2012-11-18 19:51:30 UTC
There are quite some denies in avc.log, but that's true for 0.9.13-r1 as well. The system runs in permissive mode.

I'm going to fetch the logs as soon as I can stop the 'productive' domains and switch to 0.10.2-r3 again.
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-21 20:05:37 UTC
I don't see anything in the trace that would give me a "yes, this is a SELinux issue" feeling. On the contrary, you are running in permissive mode, and the application looks like it is just checking information. But since the application is SELinux-aware, I cannot guarantee that it /isn't/ due to SELinux either.

Anything in dmesg that looks like a grSecurity/PaX enforcement being the culprit?
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-21 20:07:31 UTC
Oh, but if it is SELinux, then it is probably because the application doesn't expect to be in sysadm_t domain. There is a virsh_t domain and a few others. Care to look what the domain ought to be? Once we know that, then we can see how to get there.
Comment 9 Martin 2012-11-24 08:58:57 UTC
-- grsecurity is not enabled

-- pax is ... not existent anymore? Did I miss anything? In my last kernel 3.4.2-h-r1 pax was enabled; in the currently running 3.5.4-h-r1, the options for pax are not available at all?? Anyhow, pax seems to be not enabled either.

-- selinux-virt and selinux-qemu are installed and used.

-- I attached the dmesg for run_init libvirt 0.10.2. Starting a qemu domain afterwards does not produce any further messages before libvrit segfaults.

-- I also attached the dmesg for starting a qemu domain using libvirt 0.9.2. It complains about the image file being unlabeled which I don't really understand, because I added the context virt_image_t to the respective folder and libvirt does dynamically relabel it forth to svirt and back to virt each time.
Comment 10 Martin 2012-11-24 09:02:10 UTC
Created attachment 330398 [details]
dmesg of run_init libvirt 0.10.2-r3
Comment 11 Martin 2012-11-24 09:02:56 UTC
Created attachment 330402 [details]
dmesg of starting qemu with libvirt 0.9.13-r1
Comment 12 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-25 21:31:13 UTC
Given that the whole application is SELinux-aware, I wouldn't be surprised that the engineers didn't put in the correct checks for permissive mode.

Can you switch to enforcing mode right before you start libvirtd, and then start it and report back with the failure and denials? Many of the denials shown are results of earlier denials, and we need to filter those out. Running in enforcing mode should help us with that.

Make sure that you have a console open where you are sysadm_t and, if that is through SSH, make sure the daemon runs in the sshd_t domain (otherwise switching to enforcing mode might crash the daemon and leave you out of the system).
Comment 13 Martin 2012-11-30 22:20:32 UTC
I used audit2allow for cleaning up the avc.log. However checkmodule gives:

libsepol.check_assertion_helper: neverallow violated by allow virtd_t memory_device_t:chr_file { read };

Installing the resulting module (without this memory_device_t), setting enforce to 1 and starting libvirtd 0.10.2-r3 gives:

$> run_init libvirtd 
Authenticating root.
Password: 
2012-11-30 22:02:25.869+0000: 17169: info : libvirt version: 0.10.2
2012-11-30 22:02:25.869+0000: 17169: error : virSysinfoRead:763 : internal error Failed to find path for dmidecode binary
2012-11-30 22:02:25.870+0000: 17169: error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled
2012-11-30 22:02:25.870+0000: 17169: error : qemuSecurityInit:316 : Failed to initialize security drivers
2012-11-30 22:02:25.870+0000: 17169: error : virStateInitialize:798 : Initialization of QEMU state driver failed
2012-11-30 22:02:25.870+0000: 17169: error : daemonRunStateInit:766 : Driver state initialization failed

and exit
Comment 14 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 08:37:43 UTC
You can enable that too through "dev_read_raw_memory(virtd_t)" but I can't add that in the gentoo policy until I also know what the other denials were that you got fixed through audit2allow :-(
Comment 15 Martin 2012-12-04 21:44:44 UTC
I added the dev_read_raw_memory(virtd_t) (as you see below), but without luck for 0.10.2. However, libvirt 0.9.13 is now running in enforced strict without issues.

$> echo 0 > /selinux/enforce 
§> run_init libvirtd

2012-12-04 21:22:38.481+0000: 4379: info : libvirt version: 0.10.2
2012-12-04 21:22:38.481+0000: 4379: error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled
2012-12-04 21:22:38.481+0000: 4379: error : qemuSecurityInit:316 : Failed to initialize security drivers
2012-12-04 21:22:38.481+0000: 4379: error : virStateInitialize:798 : Initialization of QEMU state driver failed
2012-12-04 21:22:38.481+0000: 4379: error : daemonRunStateInit:766 : Driver state initialization failed

and no entries in avc.log or dmesg. I added the following rules, all but the last gathered with audit2allow.


#============= qemu_t ==============
allow qemu_t svirt_var_run_t:dir { write add_name };
allow qemu_t svirt_var_run_t:sock_file create;
allow qemu_t sysfs_t:file { read open };
allow qemu_t unlabeled_t:file { write read getattr open };
allow qemu_t vhost_device_t:chr_file { read write ioctl };
#============= sysadm_dbusd_t ==============
allow sysadm_dbusd_t self:capability sys_resource;
allow sysadm_dbusd_t self:capability2 block_suspend;
allow sysadm_dbusd_t self:process setrlimit;
allow sysadm_dbusd_t sysfs_t:file { read open };
#============= virtd_t ==============
allow virtd_t default_t:dir read;
allow virtd_t dhcpd_port_t:udp_socket name_bind;
allow virtd_t dmidecode_exec_t:file { read getattr open execute execute_no_trans };
allow virtd_t dns_port_t:tcp_socket name_bind;
allow virtd_t dns_port_t:udp_socket name_bind;
allow virtd_t file_context_t:file { read getattr open };
allow virtd_t initrc_tmp_t:file append;
allow virtd_t initrc_var_run_t:file getattr;
allow virtd_t initrc_var_run_t:file { read write open };
allow virtd_t memory_device_t:chr_file { read open };
allow virtd_t node_t:udp_socket node_bind;
allow virtd_t self:capability net_bind_service;
allow virtd_t self:capability sys_rawio;
allow virtd_t self:capability2 mac_admin;
allow virtd_t self:packet_socket { create ioctl };
allow virtd_t self:process setsockcreate;
allow virtd_t sysctl_kernel_t:dir search;
allow virtd_t sysctl_kernel_t:file { read open };
allow virtd_t unlabeled_t:file { relabelfrom getattr setattr read relabelto open };
allow virtd_t var_run_t:sock_file { create unlink };
allow virtd_t vhost_device_t:chr_file { read write open };
dev_read_raw_memory(virtd_t)


and the following local context for my images:
/data/r1/images(/.*)?    system_u:object_r:virt_image_t
Comment 16 Martin 2012-12-04 21:48:00 UTC
(In reply to comment #15)

> $> echo 0 > /selinux/enforce 

typo: echo 1, of course
Comment 17 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-05 18:35:54 UTC
Looks like in the virt code, the following function returns a SECURITY_DRIVER_DISABLE state:

"""
static int
virSecuritySELinuxSecurityDriverProbe(const char *virtDriver)
{
    if (!is_selinux_enabled())
        return SECURITY_DRIVER_DISABLE;

    if (virtDriver && STREQ(virtDriver, "LXC")) {
#if HAVE_SELINUX_LXC_CONTEXTS_PATH
        if (!virFileExists(selinux_lxc_contexts_path()))
#endif
            return SECURITY_DRIVER_DISABLE;
    }

    return SECURITY_DRIVER_ENABLE;
}
"""

As is_selinux_enabled() will return true, this isn't the culprit. Your USE flags also tell USE=-lxc so I assume you are not using LXC, but can you confirm this? You don't have any domains using the libvirt_lxc emulator do you?
Comment 18 Martin 2012-12-05 19:48:33 UTC
Yes, use flag lxc is not (was never) set. I only use qemu.

[ebuild     U  ] app-emulation/libvirt-0.10.2-r3 [0.9.13-r1] USE="caps libvirtd nls numa python qemu (selinux) udev virt-network -audit -avahi -debug -iscsi -lvm -lxc -macvtap -nfs -openvz -parted -pcap -phyp -policykit -rbd -sasl -uml -vepa -virtualbox -xen" 0 kB
Comment 19 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-07 15:27:47 UTC
Yes, but can you also confirm that your domains (the xml files that define your virtual guests and such) do not refer to LXC?
Comment 20 Martin 2012-12-07 18:21:52 UTC
$> grep -ri "[^-]lxc" /etc
$> grep -ri "lxc" /var/lib/

both show nothing relevant

$> eix -Ic --installed-with-use lxc
No matches found.

Anything else I could check?
Comment 21 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-09 10:34:21 UTC
In that case, is_selinux_enabled() is probably not returning 1, which is very weird, since even in permissive mode it should be returning 1.

"""
hpl ~ # sestatus
[...]
Current mode:                   enforcing

hpl ~ # ~swift/Development/build/tmp/test 
is_selinux_enabled() = 1

hpl ~ # setenforce 0

hpl ~ # sestatus
[...]
Current mode:                   permissive

hpl ~ # ~swift/Development/build/tmp/test 
is_selinux_enabled() = 1
"""

From a simple strace, it looks like it checks if /sys/fs/selinux exists:

"""
statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
statfs("/sys/fs/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat("/sys/fs/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
"""

Can you check if /sys/fs/selinux does exist? Perhaps somewhere along the route, the libvirt cannot check /sys/fs/selinux (be it due to permissions or because it is mounted elsewhere)?
Comment 22 Martin 2012-12-09 12:25:10 UTC
$> sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             strict
Current mode:                   enforcing
..

$> mount | grep selinux
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
none on /selinux type selinuxfs (rw)


dr-xr-xr-x. 11 root root system_u:object_r:sysfs_t 0 Nov 17 14:08 /sys
drwxr-xr-x.  5 root root system_u:object_r:sysfs_t 0 Nov 17 14:08 /sys/fs
drwxr-xr-x.  7 root root system_u:object_r:security_t 0 Nov 17 14:08 /sys/fs/selinux

While in permissive mode, libvirtd starts and reads /sys/fs/selinux, but dies once qemu starts. How can I start strace libvirtd in enforcing mode?
Comment 23 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-09 13:46:04 UTC
Oh I thought the failures were also in permissive mode.

If this occurs in enforcing mode, then we need to check is there are denials somewhere that SELinux is enforcing the domain to get information from the SELinux state.

Try running with dontaudit's disabled (semodule -DB), clear your avc log and reproduce. What does the avc log contain then?
Comment 24 Martin 2013-01-01 12:34:57 UTC
updated to current stable selinux libs and policies 2.20120725-r8 and used:
libvirt 1.0.0
enforce=1
semodule -DB
increased /proc/sys/kernel/printk_ratelimit(_burst)

dmesg output attached for: 
§> run_init libvirt
$> virsh start DOMAIN

with terminating segfault
Comment 25 Martin 2013-01-01 12:36:25 UTC
Created attachment 333934 [details]
libvirt 1.0.0, semodule -DB, enforce=1
Comment 26 Martin 2013-01-01 14:05:58 UTC
Just a side note: libvirt 0.10.2-r3 (and upwards, I guess) works without any further changes if(f) selinux is disabled:

- disabled selinux in /etc/selinux/config
- removed security_driver = "selinux" from /etc/libvirt/qemu.conf 
- rebooted

However, that was not what I was looking for. I would like to have the host running selinux strict.
Comment 27 Sven Vermeulen (RETIRED) gentoo-dev 2013-02-07 18:49:47 UTC
I'm going to ask some help on this on our online meeting today (hopefully some other developers with SELinux have or can use libvirt). I'm not able to use libvirt on my system so it's harder for me to work on this :-(
Comment 28 Sven Vermeulen (RETIRED) gentoo-dev 2013-02-08 18:44:12 UTC
Sadly no SELinux developer with libvirt (or they're afraid of saying it).

In the strace you showed, there is the following output as well:

[pid 29965] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
[pid 29965] write(4, "Caught Segmentation violation", 29) = 29
[pid 29965] write(4, " dumping internal log buffer:\n", 30) = 30
[pid 29965] write(4, "\n\n    ====== start of log =====\n"..., 33) = 33
[pid 29965] write(4, "2012-11-16 18:43:35.006+00002995"..., 3648) = 3648
[pid 29965] write(4, "\n\n     ====== end of log =====\n\n", 32) = 32

Do you have the full output on this somewhere?
Comment 29 Arnaud Desgranges 2013-02-16 17:55:32 UTC
(In reply to comment #26)
> Just a side note: libvirt 0.10.2-r3 (and upwards, I guess) works without any
> further changes if(f) selinux is disabled:
> 
> - disabled selinux in /etc/selinux/config
> - removed security_driver = "selinux" from /etc/libvirt/qemu.conf 
> - rebooted
> 
> However, that was not what I was looking for. I would like to have the host
> running selinux strict.

+1
Comment 30 Doug Goldstein gentoo-dev 2013-02-22 04:26:46 UTC
I don't use SELinux so I don't really have experience with it. You might find some help on the libvirt-users ML. Any suggestions people on there give I'll be glad to implement.
Comment 31 Sven Vermeulen (RETIRED) gentoo-dev 2014-02-02 11:37:19 UTC
(In reply to Sven Vermeulen from comment #28)
> Sadly no SELinux developer with libvirt (or they're afraid of saying it).
> 
> In the strace you showed, there is the following output as well:
> 
> [pid 29965] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0}
> ---
> [pid 29965] write(4, "Caught Segmentation violation", 29) = 29
> [pid 29965] write(4, " dumping internal log buffer:\n", 30) = 30
> [pid 29965] write(4, "\n\n    ====== start of log =====\n"..., 33) = 33
> [pid 29965] write(4, "2012-11-16 18:43:35.006+00002995"..., 3648) = 3648
> [pid 29965] write(4, "\n\n     ====== end of log =====\n\n", 32) = 32
> 
> Do you have the full output on this somewhere?

Going to resolve this as NEEDINFO until the above can be provided.