Description of problem: The virt-sandbox tool has historically used svirt_t for QEMU/KVM guests and svirt_lxc_sandbox_t for LXC guests The use of svirt_t was not working since it did not allow general use of resources from the host OS. Reently the SELinux policy gained new svirt_qemu_net_t and svirt_kvm_net_t domains to address this These should types should basically have had a union of all the rules for svirt_t and (most) of the rules for svirt_lxc_sandbox_t. It appears, howerver, that svirt_qemu_net_t and svirt_kvm_net_t are missing a number of the svirt_t related rules. For example, I get the following denials type=AVC msg=audit(1384448197.667:626): avc: denied { append } for pid=8553 comm="qemu-system-x86" path="/home/berrange/.cache/libvirt/qemu/log/sandbox.log" dev="dm-0" ino=659232 scontext=unconfined_u:system_r:svirt_qemu_net_t:s0:c77,c609 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=file type=AVC msg=audit(1384448197.667:626): avc: denied { append } for pid=8553 comm="qemu-system-x86" path="/home/berrange/.cache/libvirt/qemu/log/sandbox.log" dev="dm-0" ino=659232 scontext=unconfined_u:system_r:svirt_qemu_net_t:s0:c77,c609 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=file type=AVC msg=audit(1384448197.697:627): avc: denied { write } for pid=8553 comm="qemu-system-x86" name="lib" dev="dm-0" ino=659215 scontext=unconfined_u:system_r:svirt_qemu_net_t:s0:c77,c609 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=dir Which audit2allow suggests #============= svirt_qemu_net_t ============== allow svirt_qemu_net_t svirt_home_t:dir write; allow svirt_qemu_net_t svirt_home_t:file append; Version-Release number of selected component (if applicable): selinux-policy-3.12.1-90.fc20.noarch How reproducible: Always Steps to Reproduce: 1. Apply Dan W's patches to libvirt-sandbox for svirt_qemu_net_t usage 2. Run virt-sandbox -c qemu:///session /bin/date 3. Actual results: Above AVCs are produced Expected results: No AVCs Additional info:
c1b7b1736cfaf123a43e161379ebc9c6643b42ec fixes this in git. Need this patch in RHEL7 also.
(In reply to Daniel Walsh from comment #1) > c1b7b1736cfaf123a43e161379ebc9c6643b42ec fixes this in git. Which GIT repo is this hash from ?
Daniel: https://git.fedorahosted.org/cgit/selinux-policy.git/ Fix is included in f20 and rawhide.
Yes, it has been back ported and it is a part of the latest builds.
selinux-policy-3.12.1-105.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-105.fc20
Package selinux-policy-3.12.1-105.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-105.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22285/selinux-policy-3.12.1-105.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-105.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.