Bug 805907

Summary: spice-vdagent does not work in Fedora 17 with selinux enabled
Product: [Fedora] Fedora Reporter: Hans de Goede <hdegoede>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, dwmw2, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-106.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-12 02:38:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log file with all AVC-s noticed while running / using the agent. none

Description Hans de Goede 2012-03-22 12:25:17 UTC 
Created attachment 571978 [details]
Log file with all AVC-s noticed while running / using the agent.

Hi,

First of all if you try to reproduce this / test a fix for it, you need to use this spice-vdagent (or newer):
http://koji.fedoraproject.org/koji/buildinfo?buildID=308852

The reason for this, and also the reason for the need to update the selinux policy is that in F-17 there is no more consolekit, so the latest version of the agent (also) supports using libsystemd-login to get the session info it needs.

I've tried to make life easier for you by gathering all the AVC-s, putting them through audit2allow and verify that the generated module fixed the issues I'm seeing. But it does not! With the attached AVC-s run through audit2allow, and the generated module installed I no longer get any AVC-s, but the agent still malfunctions,!

To be precise it logs the following to /var/log/spice-vdagentd/spice-vdagentd.log:
"Error getting session for pid 984: Permission denied",
each time a user logs in to a graphical session (which starts the per user session part of the agent). Doing  "setenforce 0" followed by a logout / login (note no vdagentd restart needed) makes this message go away
and after that the agent functions as it should (ie one can copy paste between the vm and apps runnning next to the client viewing the vm).

I must say I'm a bit mystified about selinux blocking the agent without logging an AVC, hopefully you can figure out the cause.

Regards,

Hans
Comment 1 Miroslav Grepl 2012-03-22 12:47:35 UTC 
Were you trying to collect all AVC msgs in permissive mode?
Comment 2 Miroslav Grepl 2012-03-22 13:18:18 UTC 
I added fixes to F17.
Comment 3 Hans de Goede 2012-03-22 13:50:26 UTC 
(In reply to comment #1)
> Were you trying to collect all AVC msgs in permissive mode?

Yes and no. At first I did a number of the following cycles while in enforcing mode:
-vdagentd does not work -> look in audit.og
-collect AVC-s, add to AVC-s from previous cycle
-feed collected AVC-s to audit2allow
-remove previous version of selinux module made by audit2allow
-install new selinux module

When that failed to get me any further I moved to permissive mode, which did get me 3
additional AVC's (so it seems that in enforcing mode it failed before it go to these 3), which
I also added my AVC list, then audit2allow, rinse repeat ... But in the end I failed to get it
to work in enforcing mode this way.

(In reply to comment #2)
> I added fixes to F17.

Good, I assume you will update this bug when a build with those fixes in gets done? Then I'll give the new
policy a try.

p.s.

You changed the component to 0xffff I assume that was accidental so I'm changing it back.
Comment 4 Miroslav Grepl 2012-03-22 14:08:41 UTC 
This does my browser ... it does not like selinux-policy component :).

Yes, I am going to do a new build today which you could test.
Comment 5 Fedora Update System 2012-03-22 19:27:56 UTC 
selinux-policy-3.10.0-106.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-106.fc17
Comment 6 Fedora Update System 2012-03-25 21:29:57 UTC 
Package selinux-policy-3.10.0-106.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-106.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-4694/selinux-policy-3.10.0-106.fc17
then log in and leave karma (feedback).
Comment 7 Miroslav Grepl 2012-03-26 09:00:50 UTC 
Hans,
did you test it with the latest build from koji?
Comment 8 Hans de Goede 2012-03-26 09:43:20 UTC 
Hi,

(In reply to comment #7)
> Hans,
> did you test it with the latest build from koji?

I just did, works iike a charm! Thanks for the quick fix!

Regards,

Hans
Comment 9 Fedora Update System 2012-04-12 02:38:39 UTC 
selinux-policy-3.10.0-106.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.