| Summary: | spice-vdagent does not have a selinux policy for (selinux) confined users | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | bodhi.zazen <bodhi.zazen> | ||||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 15 | CC: | bodhi.zazen, dwalsh, hdegoede, marcandre.lureau | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-08-22 05:42:47 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
-- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Is this in permissive mode? If not, please switch to permissive mode and collect all AVC msgs and attach them. @Miroslav - Thank you for your time and attention. Yes , that was with permissive mode and included all the AVC mesgs I found. With that spice.te , spice-vdagent is working with selinux in enforcing mode. Note: that module was for staff_u only, I did not test user_u, although I would be willing if you feel it would help. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Ok, I am fixing it. Fixed in selinux-policy-3.9.16-38.fc15 Thank you. Do you need any testing / te for confining user_u ? -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Sure it should work for user_u, and xguest_u. I am so sorry, I thought I had this resolved. The problem was I had left selinux in permissive mode. When I put it into enforcing mode, the module I posted here did not work. I did not see any additional AVC denials in the logs, so I looked for silent denials. semodule -DB Still nothing. With selinux in enforcing mode, spice-vdagent fails to start. If I then follow the logs, with tail -F /var/log/audit/audit.log , and manually start spice-vdagent from the command line it fails with no errors on the command line and nothing in the logs. If I put selinux into permissive mode then I can again start the spice-vdagent. I can get it to work if I allow the "kitchen sink", ie all AVC denials in the logs when I log in, but the resulting local.te has a long list of policies / rules that have to do with things such as pulse-audio and what not. I am at a dead end, so I am attaching a "everything.te" Obviously this contains a bunch of policy that does not apply to spice-vdagent , including ecryptfs, and a bunch of desktop policy, such a pulse audio, but if I semodule -i everything.pp then spice-vdagent works when enforcing selinux hope some of these rules can help with enforcing users in general, but any suggestions on spice-vdagent would be appreciated. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Created attachment 518051 [details]
everything.te contains every AVC denial I am getting on login with selinux in permissive mode.
everything.te contains every AVC denial I am getting on login with selinux in permissive mode.
Could you add raw AVC msgs? Created attachment 518112 [details]
I attached a copy of audit.log
The tempfs_denials are for ecryptfs.
update: It is working now selinux-policy.noarch 3.9.16-35.fc15 @updates selinux-policy-targeted.noarch 3.9.16-35.fc15 @updates sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 26 Policy from config file: targeted Same spice.te / spice.pp as in my first post. Sorry for the trouble, not really sure why I was having a problem, all I did was reboot the KVM guest and now it works as expected. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Ok, please reopen if the problem still exists. |
Description of problem: spice-vdagent does not have a selinux policy for (selinux) confined users If you confine your users, spice-vdagent no longer works. Version-Release number of selected component (if applicable): How reproducible: Always (when confining users) Steps to Reproduce: 1. Confine your users with selinux, either as a user_u or staff_u 2. Log in via GDM 3. spice-vdagent no longer functions Actual results: spice-vdagent no longer functions Expected results: spice-vdagent functions with confined (staff_u) users. I assume it will work with user_u, just add in a user_t Additional info: Here is the spice te I generated. module spice 1.0; require { type staff_t; type vdagent_exec_t; type vdagent_t; type vdagent_log_t; type vdagent_var_run_t; class sock_file write; class unix_stream_socket connectto; class dir { search getattr }; class file getattr; } #============= staff_t ============== allow staff_t vdagent_exec_t:file getattr; allow staff_t vdagent_log_t:dir getattr; allow staff_t vdagent_t:unix_stream_socket connectto; allow staff_t vdagent_var_run_t:dir search; allow staff_t vdagent_var_run_t:sock_file write;