Description of problem: In kernel 4.2 the following patch series was merged: https://lkml.org/lkml/2015/4/9/124 hyperv-daemons will shortly switch to using these new devices. In particular, hypervkvpd (system_u:system_r:hypervkvp_t:s0 atm) will need to access /dev/vmbus/hv_kvp (rw) hypervvssd (system_u:system_r:hypervvssd_t:s0 atm) will need to access /dev/vmbus/hv_vss (rw) hypervfcopyd (system_u:system_r:unconfined_service_t:s0 atm) will continue using /dev/vmbus/hv_fcopy Current policy prevents hypervkvpd and hypervvssd from accessing their devices: type=AVC msg=audit(1436484445.431:449): avc: denied { read write } for pid=5724 comm="hypervkvpd" name="hv_kvp" dev="devtmpfs" ino=18556 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1436484448.569:452): avc: denied { read write } for pid=5731 comm="hypervvssd" name="hv_vss" dev="devtmpfs" ino=18557 scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 I would also suggest we introduce new hypervfcopyd_t for hypervfcopyd. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-128.2.fc22.noarch
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Hi Vytaly! Can we label hypervfcopyd as hypervkvp_t? What is purpose of this service? Which rpm package owns /dev/vmbus? We need to find proper label for /dev/vmbus/* devices.
Vytaly/Vitaly. Sorry for mistake.
(In reply to Lukas Vrabec from comment #2) > Hi Vytaly! > > Can we label hypervfcopyd as hypervkvp_t? That would be a misnomer. hypervkvp_t is being used for hypervkvpd (key-value pair service, mainly used to set/get network configuration of a VM from the host). > What is purpose of this service? hypervfcopyd is a file copy service, it supports copying a file from host to guest through vmbus. > > Which rpm package owns /dev/vmbus? No one owns it, I think udev creates this folder and device files there when kernel registers corresponding devices. > We need to find proper label for /dev/vmbus/* devices. I'd suggest we use different labels for these services as they're independent and shouldn't normally access other devices.
We should add labeling for /dev/vmbus and probably a new domain for hypervfcopyd.
I've just hit this on the Fedora 23 LiveCD after starting the hypervkvpd service and it breaks things like getting the IP address of the guest. Switching selinux to permissive mode produced the following logs: type=SERVICE_START msg=audit(1446613082.722:556): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=hypervkvpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1446613082.732:557): avc: denied { read write } for pid=2924 comm="hypervkvpd" name="hv_kvp" dev="devtmpfs" ino=16807 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1446613082.732:558): avc: denied { open } for pid=2924 comm="hypervkvpd" path="/dev/vmbus/hv_kvp" dev="devtmpfs" ino=16807 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Grettings, everyone. I've also hit this exact same bug in CentOS 7.2. All packages in this system are up-to-date. The LIS version that this system is using is 4.1, the one released on the past 18th of this month. I'm glad to see this issue will be fixed in the near future! Is there an ETA for the release of this new package for CentOS?
selinux-policy-3.13.1-180.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.