Bug 2363238
| Summary: | UDP sockets are broken due to insufficient SELinux permissions | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Janne Grunau <janne-fdr> | ||||
| Component: | passt | Assignee: | Stefano Brivio <sbrivio> | ||||
| Status: | CLOSED COMPLETED | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 42 | CC: | sbrivio, teohhanhui | ||||
| Target Milestone: | --- | Keywords: | Desktop, Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | aarch64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | passt-0^20250503.g587980c-1.fc42 | Doc Type: | --- | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2025-06-11 15:49:24 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 2087966 [details]
change to upstreams SELinux policy fixing the issue
|
UDP connections in muvm (libkrun based VMM using passt) are broken with passt-0^20250415.g2340bbf-1.fc42, This is a regression from passt-0^2025_03_20.32f6212-1. passt logs "Flow 0 (UDP flow): Unable to determine local address: Permission denied" which coincides with following SELinux audit message: | type=AVC msg=audit(1746083799.606:235): avc: denied { getattr } for | pid=2961 comm="passt" laddr=127.0.0.1 lport=49221 | faddr=127.0.0.53 fport=53 | scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 | tcontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 | tclass=udp_socket permissive=0 passt added commit 59cc89f ("udp, udp_flow: Track our specific address on socket interfaces") a getsockname() call requring getattr I'll send a patch adding getattr for udp_sockets once upstreams maling list acts on my subscription request. I'll attach the patch to this ticket as well. Reproducible: Always Steps to Reproduce: 1. install muvm 2. muvm -- nslockup bugzilla.redhat.com Actual Results: Flow 0 (UDP flow): Unable to determine local address: Permission denied and no address resolution Expected Results: No IPv6 nameserver available for NDP/DHCPv6 Using default interface naming scheme 'v257'. Server: 10.7.23.1 Address: 10.7.23.1#53 Non-authoritative answer: bugzilla.redhat.com canonical name = bugzilla.redhat.com.edgekey.net. bugzilla.redhat.com.edgekey.net canonical name = e40028.dsca.akamaiedge.net. Name: e40028.dsca.akamaiedge.net Address: 2.21.133.170 Name: e40028.dsca.akamaiedge.net Address: 2.21.133.160 Name: e40028.dsca.akamaiedge.net Address: 2a02:26f0:300::215:85a0 Name: e40028.dsca.akamaiedge.net Address: 2a02:26f0:300::215:85aa