Bug 995434
| Summary: | Cannot create virtual machine in VirtManager in enforcing after system update | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Trunecka <mtruneck> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | dwalsh, ebenes, mtruneck |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-214.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 10:48:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Did you disable unconfined module? optional_policy(`
fcoemon_dgram_send(lldpad_t)
')
will be added. But it should work with enabled unconfined module because of
optional_policy(`
unconfined_domain(lldpad_t)
')
Yes, I was running with disabled unconfined module. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |
Description of problem: SELinux is preventing /usr/sbin/lldpad from sendto access on the unix_dgram_socket @00022. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that lldpad should be allowed sendto access on the @00022 unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lldpad /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:lldpad_t:s0 Target Context system_u:system_r:fcoemon_t:s0 Target Objects @00022 [ unix_dgram_socket ] Source lldpad Source Path /usr/sbin/lldpad Port <Unknown> Host dhcp-25-142.brq.redhat.com Source RPM Packages lldpad-0.9.45-7.el6.x86_64 Target RPM Packages Policy RPM selinux-policy-3.7.19-211.el6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name dhcp-25-142.brq.redhat.com Platform Linux dhcp-25-142.brq.redhat.com 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41 EST 2013 x86_64 x86_64 Alert Count 4 First Seen Fri 09 Aug 2013 01:05:03 PM CEST Last Seen Fri 09 Aug 2013 01:07:23 PM CEST Local ID 0bdce7c6-d5a9-4048-86ed-a9e4e10862f3 Raw Audit Messages type=AVC msg=audit(1376046443.294:69876): avc: denied { sendto } for pid=2755 comm="lldpad" path=003030303232 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1376046443.294:69876): arch=x86_64 syscall=sendto success=yes exit=ENOEXEC a0=4 a1=164f160 a2=8 a3=0 items=0 ppid=1 pid=2755 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) Hash: lldpad,lldpad_t,fcoemon_t,unix_dgram_socket,sendto audit2allow #============= lldpad_t ============== allow lldpad_t fcoemon_t:unix_dgram_socket sendto; audit2allow -R #============= lldpad_t ============== allow lldpad_t fcoemon_t:unix_dgram_socket sendto; Steps to Reproduce: 1. Just create virtual machine via VirtManager. Almost default, just Video changed to vga and NIC changed to bridged. 2.