Bug 1415841

Summary: staff_u cannot access virtual machine guest consoles in libvirt
Product: Red Hat Enterprise Linux 7 Reporter: Garrett Holmstrom <gholms>
Component: selinux-policyAssignee: Vit Mojzis <vmojzis>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, wibrown
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-145.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1402840 Environment:
Last Closed: 2017-08-01 15:20:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Garrett Holmstrom 2017-01-23 22:04:42 UTC 
+++ This bug was initially created as a clone of Bug #1402840 +++

Description of problem:
Attempt to create or use a vm in virt-manager. It will crash.

type=AVC msg=audit(1481201350.528:800): avc:  denied  { read write } for  pid=12729 comm="virt-manager" path="socket:[120195]" dev="sockfs" ino=120195 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201350.614:801): avc:  denied  { getopt } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201350.614:802): avc:  denied  { setopt } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201352.421:805): avc:  denied  { read } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201357.405:806): avc:  denied  { write } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
Comment 1 Garrett Holmstrom 2017-01-23 22:06:20 UTC 
Affected package versions:

libvirt-2.0.0-10.el7_3.4.x86_64
selinux-policy-3.13.1-102.el7_3.13.noarch


Attempting to connect to a guest's console using virt-manager while enforcing yields the following audit logs, which are currently dontaudited:

type=AVC msg=audit(1485208807.780:7383): avc:  denied  { read write } for  pid=255264 comm="virt-manager" path="socket:[13675099]" dev="sockfs" ino=13675099 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c558,c866 tclass=unix_stream_socket
type=SYSCALL msg=audit(1485208807.780:7383): arch=c000003e syscall=47 success=yes exit=1 a0=f a1=7ffc1012a4f0 a2=40000000 a3=5 items=0 ppid=1 pid=255264 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="virt-manager" exe="/usr/bin/python2.7" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 2 Lukas Vrabec 2017-03-03 19:35:40 UTC 
Added all needed rules but also staff_use_svirt  should be turned on.
Comment 15 errata-xmlrpc 2017-08-01 15:20:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861