Description of problem: SE breaks spice-vdagent overall functionality. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-155.fc24.noarch How reproducible: 101% Steps to Reproduce: 1. Run Fedora-Live-Xfce-x86_64-rawhide-20151022.iso within libvirt domain. Actual results: spice-vdagent doesn't work. Expected results: spice-vdagent works. Additional info: # sealert -a /var/log/audit/audit.log 100% done found 4 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:vdagent_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /sys/fs/cgroup [ filesystem ] Source spice-vdagentd Source Path spice-vdagentd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-155.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 4.3.0-0.rc6.git1.1.fc24.x86_64 #1 SMP Tue Oct 20 15:25:10 UTC 2015 x86_64 x86_64 Alert Count 6 First Seen 2015-10-24 00:14:21 EDT Last Seen 2015-10-24 00:15:05 EDT Local ID d837d7be-1b97-44ea-bb49-cdbfb9974702 Raw Audit Messages type=AVC msg=audit(1445660105.724:741): avc: denied { getattr } for pid=1202 comm="spice-vdagentd" name="/" dev="tmpfs" ino=1181 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr -------------------------------------------------------------------------------- # grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp # cat mypol.te module mypol 1.0; require { type tmpfs_t; type vdagent_t; class filesystem getattr; } #============= vdagent_t ============== allow vdagent_t tmpfs_t:filesystem getattr;
Could you please add your output of ls -lZ /sys/fs/cgroup/
# systemctl status spice-vdagentd.service ● spice-vdagentd.service - Agent daemon for Spice guests Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2015-11-13 12:20:09 EST; 13min ago Process: 989 ExecStart=/usr/sbin/spice-vdagentd $SPICE_VDAGENTD_EXTRA_ARGS (code=exited, status=0/SUCCESS) Process: 984 ExecStartPre=/bin/rm -f /var/run/spice-vdagentd/spice-vdagent-sock (code=exited, status=0/SUCCESS) Main PID: 998 (spice-vdagentd) CGroup: /system.slice/spice-vdagentd.service └─998 /usr/sbin/spice-vdagentd Nov 13 12:20:08 localhost systemd[1]: Starting Agent daemon for Spice guests... Nov 13 12:20:09 localhost systemd[1]: Started Agent daemon for Spice guests. Nov 13 12:20:17 localhost spice-vdagentd[998]: Error getting session for pid 1831: Permission denied # ps uq 1831 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND liveuser 1831 0.0 0.1 38948 2056 ? Ss 12:20 0:00 /usr/bin/spice-vdagent # grep -i spice /var/log/audit/audit.log type=SERVICE_START msg=audit(1447435209.085:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=spice-vdagentd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1447435217.843:504): avc: denied { getattr } for pid=998 comm="spice-vdagentd" name="/" dev="tmpfs" ino=10199 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 # ll -Z /sys/fs/cgroup/ total 0 dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:31 blkio lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 11 Nov 13 12:19 cpu -> cpu,cpuacct lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 11 Nov 13 12:19 cpuacct -> cpu,cpuacct dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:31 cpu,cpuacct dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:29 cpuset dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:29 devices dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:29 freezer dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:29 hugetlb dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:31 memory lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 16 Nov 13 12:19 net_cls -> net_cls,net_prio dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:31 net_cls,net_prio lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0 16 Nov 13 12:19 net_prio -> net_cls,net_prio dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:29 perf_event dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:31 pids dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0 0 Nov 13 12:29 systemd # rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-157.fc24.noarch Tested with: Fedora-Live-Xfce-x86_64-rawhide-20151110.iso
Thank you. The problem is with /sys/fs/cgroup/ labeling.
Pan Vrabec, here's another one bothering us for a long time, if you can fix it also. # sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:vdagent_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /sys/fs/cgroup [ filesystem ] Source spice-vdagentd Source Path spice-vdagentd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-162.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 4.4.0-0.rc3.git4.1.fc24.x86_64 #1 SMP Fri Dec 4 16:10:15 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-12-08 12:27:53 EST Last Seen 2015-12-08 12:27:53 EST Local ID 3e331eed-9799-4e5d-9de9-889d4bc53368 Raw Audit Messages type=AVC msg=audit(1449595673.876:163): avc: denied { getattr } for pid=1057 comm="spice-vdagentd" name="/" dev="tmpfs" ino=195 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr
Moving to systemd. They need to also fix labeling for /sys/fs/cgroup mount point.
Since there is no response from the both, upstream and downstream.