Created attachment 1256832[details]
The script of reproducing
+++ This bug was initially created as a clone of Bug #1413298 +++
Description of problem:
I turned off virtual machine.
BTW the searched pid 3278 was pid of libvirt
sh# find /proc/ -inum 32545
/proc/3278
sh# ls -l /proc/3278/exe
lrwxrwxrwx. 1 root root 0 Jan 13 18:45 /proc/3278/exe -> /usr/sbin/libvirtd
SELinux is preventing qemu-system-x86 from 'search' accesses on the directory 3278.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that qemu-system-x86 should be allowed search access on the 3278 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86
# semodule -X 300 -i my-qemusystemx86.pp
Additional Information:
Source Context system_u:system_r:svirt_t:s0:c180,c609
Target Context system_u:system_r:virtd_t:s0-s0:c0.c1023
Target Objects 3278 [ dir ]
Source qemu-system-x86
Source Path qemu-system-x86
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.8.15-300.fc25.x86_64 #1 SMP Thu
Dec 15 23:10:23 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2017-01-14 17:39:01 CET
Last Seen 2017-01-14 17:39:01 CET
Local ID 5417c5fe-d046-4191-8de3-20d5c6cf25e3
Raw Audit Messages
type=AVC msg=audit(1484411941.773:906): avc: denied { search } for pid=21632 comm="qemu-system-x86" name="3278" dev="proc" ino=32545 scontext=system_u:system_r:svirt_t:s0:c180,c609 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=0
Hash: qemu-system-x86,svirt_t,virtd_t,dir,search
Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch
Additional info:
component: selinux-policy
reporter: libreport-2.9.0
hashmarkername: setroubleshoot
kernel: 4.8.15-300.fc25.x86_64
type: libreport
AVC deny occurs when destroying the VM.
This bug can be reproduced on:
selinux-policy-3.13.1-121.el7.noarch
qemu-kvm-rhev-2.8.0-4.el7.x86_64
libvirt-3.0.0-2.el7.x86_64
Not reproduced on RHEL7.3:
selinux-policy-3.13.1-102.el7_3.15.noarch
qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64
libvirt-2.0.0-10.el7_3.4.x86_64
Marked as regression.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:1861