Bug 1293722
Summary: | need selinux policy for new libvirt daemon virtlogd | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Giulio 'juliuxpigface' <juliux.pigface> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | agedosier, berrange, clalancette, crobinso, dominick.grift, dwalsh, dyuan, fjin, flast, itamar, jforbes, laine, libvirt-maint, lvrabec, mgrepl, plautrba, veillard, virt-maint, zhwang | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-01-20 14:50:01 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Can you say if you have SELinux enabled, and if so provide the /var/log/audit/audit.log file contents after boot Following module avoids this issue. I hope that will help you. ``` module bug1293722 1; require { type iptables_t; type firewalld_tmpfs_t; type unconfined_service_t; type init_t; class file { read write }; class unix_stream_socket { create setopt bind listen }; } allow iptables_t firewalld_tmpfs_t:file { read write }; allow init_t unconfined_service_t:unix_stream_socket { create setopt bind listen }; ``` (In reply to Kohei Takahashi from comment #2) > Following module avoids this issue. I hope that will help you. > > ``` > module bug1293722 1; > > require { > type iptables_t; > type firewalld_tmpfs_t; > type unconfined_service_t; > type init_t; > class file { read write }; > class unix_stream_socket { create setopt bind listen }; > } > > allow iptables_t firewalld_tmpfs_t:file { read write }; > allow init_t unconfined_service_t:unix_stream_socket { create setopt bind > listen }; > ``` I don't know why the firewall bits are in there, virtlogd shouldn't be touching that stuff. Definitely needs the unix bits though. Here's the AVCs I get: type=AVC msg=audit(1452886623.735:766): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1452886623.735:767): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1452886623.735:768): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1452886623.735:769): avc: denied { listen } for pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=SERVICE_START msg=audit(1452886623.738:770): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Hi, Rule related to iptables is different issue in SELinux. Other troubles are fixed now. Closing as duplicate. *** This bug has been marked as a duplicate of bug 1291940 *** |
Created attachment 1108703 [details] output of "# journalctl -b 0 -u virtlogd.socket" Description of problem: Everytime I start a qemu-kvm guest (which contains Fedora 20151218 Rawhide - Workstation), I see that unit failing. Version-Release number of selected component (if applicable): libvirt-daemon-1.3.0-1.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Boot Fedora 20151218 (installed on a qemu-kvm x86_64 guest). 2. Log in. 3. Read the output of "# systemctl --all --failed". Actual results: The unit "virtlogd.socket" fails. Expected results: The unit "virtlogd.socket" should not fail. Additional info: I'm attaching the output of "# journalctl -b 0 -u virtlogd.socket"