Bug 458647

Summary: can't run virt-manager as non-root user
Product: [Fedora] Fedora Reporter: David Juran <djuran>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:05:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Juran 2008-08-11 10:43:51 UTC 
Description of problem:

If I launch virt-manager as a regular user and click to run it unpriviledged in the dialog presented by consolehelper and then doubleclick on the local qemu hypervisor I'm getting the following avc denial:


Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "getattr" to /proc/<pid>
(virtd_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /proc/<pid>,

restorecon -v '/proc/<pid>'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t
Target Context                system_u:system_r:virtd_t
Target Objects                /proc/<pid> [ dir ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          dhcppc2
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-82.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     dhcppc2
Platform                      Linux dhcppc2 2.6.25.11-97.fc9.x86_64 #1 SMP Mon
                              Jul 21 01:09:10 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 11 Aug 2008 01:38:28 PM EEST
Last Seen                     Mon 11 Aug 2008 01:38:28 PM EEST
Local ID                      03ecc6e0-2773-4169-97e9-023d67122744
Line Numbers                  

Raw Audit Messages            

host=dhcppc2 type=AVC msg=audit(1218451108.834:246): avc:  denied  { getattr } for  pid=21940 comm="polkit-resolve-" path="/proc/2883" dev=proc ino=39369 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:virtd_t:s0 tclass=dir

host=dhcppc2 type=SYSCALL msg=audit(1218451108.834:246): arch=c000003e syscall=4 success=no exit=-13 a0=10c5280 a1=7fff49992480 a2=7fff49992480 a3=31e2767a58 items=0 ppid=2883 pid=21940 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)





Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-82.fc9.noarch
virt-manager-0.5.4-4.fc9.x86_64
PolicyKit-0.8-2.fc9.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. start virt-manager
2. Choose to run it unprivileged
3. Connect to local qemu hypervisor
  
Actual results:
avc denial and no connection to libvirt
Comment 1 Daniel Walsh 2008-08-12 13:02:53 UTC 
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-85.fc9.noarch
Comment 2 David Juran 2008-08-13 14:52:25 UTC 
With selinux-policy-3.3.1-85.fc9 I'm getting a slightly different error:

[root@lunkyzard ~]# sealert -l ad613644-5f8d-4983-b07a-00246545dcdd

Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "getattr" to <Unknown>
(virtd_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t:s0
Target Context                system_u:system_r:virtd_t:s0
Target Objects                None [ process ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          lunkyzard.netact.noklab.net
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-85.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     lunkyzard.netact.noklab.net
Platform                      Linux lunkyzard.netact.noklab.net
                              2.6.25.14-108.fc9.x86_64 #1 SMP Mon Aug 4 13:46:35
                              EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Wed Aug 13 17:38:52 2008
Last Seen                     Wed Aug 13 17:47:43 2008
Local ID                      ad613644-5f8d-4983-b07a-00246545dcdd
Line Numbers                  

Raw Audit Messages            

host=lunkyzard.netact.noklab.net type=AVC msg=audit(1218638863.689:39): avc:  denied  { getattr } for  pid=4265 comm="polkit-resolve-" scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:virtd_t:s0 tclass=process

host=lunkyzard.netact.noklab.net type=SYSCALL msg=audit(1218638863.689:39): arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=aeb2a0 a2=fff a3=0 items=0 ppid=3426 pid=4265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Comment 3 Daniel Walsh 2008-11-17 22:05:30 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.