Bug 2279956
| Summary: | SELinux is preventing rpc-virtnetwork from 'execute' accesses on the archivo 99-lab.sh. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti Alcaine <jortialc> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 40 | CC: | dwalsh, jortialc, knazekovan, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:c9007a0b404974fc69719e5a460849945a7e80f5cdce1cea98b4ea96b02970d6;VARIANT_ID=workstation; | ||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2024-06-12 08:28:07 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 2032456 [details]
File: description
Created attachment 2032457 [details]
File: os_info
This is breaking libvirt. Zdenek, can you give it a look? Still happening in selinux-policy-targeted-40.20-1.fc40.noarch Thanks. *** Bug 2291442 has been marked as a duplicate of this bug. *** *** This bug has been marked as a duplicate of bug 2276917 *** |
Description of problem: This happened when trying to start a libvirt network with a custom hook script in /etc/libvirt/hooks/network.d/ This same setup was working in F39. SELinux is preventing rpc-virtnetwork from 'execute' accesses on the archivo 99-lab.sh. ***** Plugin catchall (100. confidence) suggests ************************** Si cree que de manera predeterminada se debería permitir a rpc-virtnetwork el acceso execute sobre 99-lab.sh file. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso temporalmente ejecutando: # ausearch -c 'rpc-virtnetwork' --raw | audit2allow -M mi-rpcvirtnetwork # semodule -X 300 -i mi-rpcvirtnetwork.pp Additional Information: Source Context system_u:system_r:virtnetworkd_t:s0 Target Context system_u:object_r:virt_etc_rw_t:s0 Target Objects 99-lab.sh [ file ] Source rpc-virtnetwork Source Path rpc-virtnetwork Port <Desconocido> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.17-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.17-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.8.8-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Apr 27 17:53:31 UTC 2024 x86_64 Alert Count 2 First Seen 2024-05-10 08:54:00 CEST Last Seen 2024-05-10 08:54:00 CEST Local ID 379b0a15-43e5-49d4-a3aa-a3c11b762441 Raw Audit Messages type=AVC msg=audit(1715324040.812:675): avc: denied { execute } for pid=21659 comm="rpc-virtnetwork" name="99-lab.sh" dev="dm-0" ino=65905725 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=0 Hash: rpc-virtnetwork,virtnetworkd_t,virt_etc_rw_t,file,execute Version-Release number of selected component: selinux-policy-targeted-40.17-1.fc40.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing rpc-virtnetwork from 'execute' accesses on the archivo 99-lab.sh. package: selinux-policy-targeted-40.17-1.fc40.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.8.8-300.fc40.x86_64 component: selinux-policy