Bug 1276251 - SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesystem /sys/fs/cgroup.
SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesyste...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
x86_64 Unspecified
high Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
AcceptedBlocker AcceptedFreezeExcepti...
: Reopened
: 1317960 (view as bug list)
Depends On:
Blocks: F24AlphaFreezeException F24FinalBlocker
  Show dependency treegraph
 
Reported: 2015-10-29 05:04 EDT by Joachim Frieben
Modified: 2016-03-23 12:56 EDT (History)
15 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-177.fc24 selinux-policy-3.13.1-179.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-23 12:56:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joachim Frieben 2015-10-29 05:04:32 EDT
Description of problem:
SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-156.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.3.0-0.rc7.git1.1.fc24.x86_64 #1
                              SMP Tue Oct 27 16:50:25 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-29 10:02:35 CET
Last Seen                     2015-10-29 10:02:35 CET
Local ID                      5defad19-42d3-407d-9b09-7560d6878e7c

Raw Audit Messages
type=AVC msg=audit(1446109355.534:570): avc:  denied  { getattr } for  pid=699 comm="spice-vdagentd" name="/" dev="tmpfs" ino=9622 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-156.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.0-0.rc7.git1.1.fc24.x86_64
type:           libreport
Comment 1 Giulio 'juliuxpigface' 2016-02-03 16:27:32 EST
Description of problem:
I encounter this frequently; at least on every boot, but I suspect it pops up later too.

This might be related to bug 1296150

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc1.git2.1.fc24.x86_64
type:           libreport
Comment 2 Giulio 'juliuxpigface' 2016-02-03 16:29:52 EST
(In reply to Giulio 'juliuxpigface' from comment #1)
> Description of problem:
> I encounter this frequently; at least on every boot, but I suspect it pops
> up later too.
> 
> This might be related to bug 1296150
> 

Please disregard this description... It was not for this bug report but for another one. I apologize for the inconvenience it may have caused.
Comment 3 Petr Schindler 2016-02-16 08:41:44 EST
Description of problem:
This selinux alert appears right after start of the system.

Version-Release number of selected component:
selinux-policy-3.13.1-171.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc3.git3.1.fc24.x86_64
type:           libreport
Comment 4 Jan Kurik 2016-02-24 10:48:04 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 5 Fedora Blocker Bugs Application 2016-03-06 18:40:24 EST
Proposed as a Blocker for 24-final by Fedora user chrismurphy using the blocker tracking app because:

 This denial comes up on Workstation lives during live boot and post-install.
selinux-policy-3.13.1-176.fc24.noarch
Fedora-Workstation-Live-x86_64-24-20160305.0.iso. 

"SELinux and crash notifications
There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "

Pretty sure this is not an selinux-policy bug, but is systemd setting the label on /sys/fs/cgroup.
Comment 6 Kamil Páral 2016-03-07 13:11:20 EST
Discussed at today's blocker review meeting [1]. Accepted as a Final blocker -  it's a clear violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2016-03-07/
Comment 7 Lukas Vrabec 2016-03-08 09:20:25 EST
commit f79000faf875b13dc06ef5020345eaf23396039a
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Mar 8 14:48:57 2016 +0100

    Allow spice-vdagent to getattr on tmpfs_t filesystems
    Resolves: rhbz#1276251
Comment 8 Fedora Update System 2016-03-11 04:56:12 EST
selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 9 Fedora Update System 2016-03-11 14:25:53 EST
selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015
Comment 10 John Dulaney 2016-03-15 14:59:46 EDT
*** Bug 1317960 has been marked as a duplicate of this bug. ***
Comment 11 Fedora Update System 2016-03-16 09:42:10 EDT
selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 12 Fedora Update System 2016-03-18 10:58:44 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969
Comment 13 Adam Williamson 2016-03-18 17:49:00 EDT
Description of problem:
Booted the F24 Alpha 1.5 Workstation x86_64 live image in a KVM, this denial appeared as soon as the desktop came up. I do notice that I can't seem to cut/paste into or out of the VM - this denial may be why?

Version-Release number of selected component:
selinux-policy-3.13.1-176.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc7.git0.2.fc24.x86_64
type:           libreport
Comment 14 Adam Williamson 2016-03-18 17:50:40 EDT
Proposing as an Alpha freeze exception; avoiding an AVC out-of-the-box seems like a good idea, and if this would also fix copying/pasting into/out of a VM while running live, that's significant too.
Comment 15 Dennis Gilmore 2016-03-18 18:13:27 EDT
+1 FE
Comment 16 Kevin Fenzi 2016-03-18 18:15:12 EDT
Sure, +1 FE
Comment 17 Adam Williamson 2016-03-18 18:16:13 EDT
That's +3, marking accepted.
Comment 18 Adam Williamson 2016-03-19 16:26:38 EDT
The update has not yet gone stable. Please do not close the bug. If it's closed, we won't notice that it needs a stable push.
Comment 19 Fedora Update System 2016-03-23 12:54:49 EDT
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.