Version-Release number of selected component: selinux-policy-3.13.1-154.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.6-300.fc23.x86_64 type: libreport Potential duplicate: bug 799169
Hi, We have no info about your issue. Could you please attach log from "/var/log/audit/audit.log" ? I'm closing this for now, but feel free to re-open this issue with related logs. Thank you.
Created attachment 1098182 [details] /var/log/audit/audit.log
(In reply to Lukas Vrabec from comment #1) > Hi, > We have no info about your issue. Could you please attach log from > "/var/log/audit/audit.log" ? > > I'm closing this for now, but feel free to re-open this issue with related > logs. > > Thank you. You can open the topic now. Attach is here.
Use: #sudo setsebool -P virt_use_execmem=1 To fix your issue.
(In reply to Lukas Vrabec from comment #4) > Use: > #sudo setsebool -P virt_use_execmem=1 But what does this do/allow exactly? Surely this is not something that is all right to do in all situations or it would just be the default, yes? Generally speaking, I find this of all of the "setsebool" suggestions. They always just say to set it but not what the consequences of setting it are. Some better information there would be helpful.
Using standard kvm vm's does not require qumu to have execmem privilege. execmem blocks certain attack vectors (Buffer Overlflow attack where the hacked process is able overwrite memory and then execute the code it wrote). When using different qemu emulators that do not use kvm, the emulators require execmem to work. So you have to loosen the policy slightly to allow the access. So turning on this boolean could allow a hacked qumu process that was susceptable to buffer overflow attack to not be blocked by SELinux. Not lots of other SELinux blocks would still be in effect. Since most people use kvm for VM's we disable it by default.
Expanded this in a blog. http://danwalsh.livejournal.com/73611.html
@Daniel: Yeah, so what's interesting here then (and makes me glad I asked questions) is that I also only use KVM. So how did I get this AVC?
Going to reopen given the previous comment.
Brian what avc did you get?
I delete them from the GUI tool once I report them, but looking in audit.log it looks like: type=AVC msg=audit(1449586668.433:5031): avc: denied { execmem } for pid=21265 comm="qemu-system-x86" scontext=system_u:system_r:svirt_t:s0:c390,c401 tcontext=system_u:system_r:svirt_t:s0:c390,c401 tclass=process permissive=0
Right that shows you are running an x86 qemu rather then the standard kvm qemu. The problem here is this should be run with a different type. Dan Berange, says on my blog that libvirt is supposed to launch these qemu instances with a different type svirt_tgt_t, which would allow this access. I have added him to the CC to see if he has any comment.
(In reply to Daniel Walsh from comment #12) > Right that shows you are running an x86 qemu rather then the standard kvm > qemu. That's not actually a problem - the regular x86 QEMU should have KVM support enabled. What we really require here is the /etc/libvirt/qemu/$GUEST.xml file and the corresponding /var/log/libvirt/qemu/$GUEST.log file for the instance that causes the AVC, so we can see how its configured.
Created attachment 1115174 [details] VM config
Created attachment 1115175 [details] VM log
Were my log attachments helpful?
The XML configuration shows it is requesting KVM: <domain type='kvm'> And the logfile shows that KVM is being turned on when launching QEMU, and fallback TCG is not enabled -machine pc-i440fx-2.3,accel=kvm,usb=off So QEMU is running with KVM, and as such should *not* require 'execmem' privilege. So there is something else going on here. Can you show the output of $ ldd /usr/bin/qemu-kvm
$ ldd /usr/bin/qemu-kvm not a dynamic executable $ cat /usr/bin/qemu-kvm #!/bin/sh exec /usr/bin/qemu-system-x86_64 -machine accel=kvm "$@" $ ldd /usr/bin/qemu-system-x86_64 linux-vdso.so.1 (0x00007ffc325e6000) libssl3.so => /lib64/libssl3.so (0x00007fe33f750000) libsmime3.so => /lib64/libsmime3.so (0x00007fe33f529000) libnss3.so => /lib64/libnss3.so (0x00007fe33f201000) libnssutil3.so => /lib64/libnssutil3.so (0x00007fe33efd4000) libplds4.so => /lib64/libplds4.so (0x00007fe33edd0000) libplc4.so => /lib64/libplc4.so (0x00007fe33ebca000) libnspr4.so => /lib64/libnspr4.so (0x00007fe33e98b000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe33e76e000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fe33e569000) libgthread-2.0.so.0 => /lib64/libgthread-2.0.so.0 (0x00007fe33e367000) libglib-2.0.so.0 => /lib64/libglib-2.0.so.0 (0x00007fe33e02e000) libGL.so.1 => /usr/lib64/nvidia/libGL.so.1 (0x00007fe33dcf9000) libGLESv2.so.2 => /usr/lib64/nvidia/libGLESv2.so.2 (0x00007fe33dae6000) libepoxy.so.0 => /lib64/libepoxy.so.0 (0x00007fe33d7e9000) libEGL.so.1 => /usr/lib64/nvidia/libEGL.so.1 (0x00007fe33d5e3000) libX11.so.6 => /lib64/libX11.so.6 (0x00007fe33d2a3000) libz.so.1 => /lib64/libz.so.1 (0x00007fe33d08d000) libaio.so.1 => /lib64/libaio.so.1 (0x00007fe33ce8a000) libiscsi.so.4 => /usr/lib64/iscsi/libiscsi.so.4 (0x00007fe33cc65000) libcurl.so.4 => /lib64/libcurl.so.4 (0x00007fe33c9eb000) librbd.so.1 => /lib64/librbd.so.1 (0x00007fe33a431000) librados.so.2 => /lib64/librados.so.2 (0x00007fe337ed9000) libacl.so.1 => /lib64/libacl.so.1 (0x00007fe337cd0000) libgfapi.so.0 => /lib64/libgfapi.so.0 (0x00007fe337aaf000) libglusterfs.so.0 => /lib64/libglusterfs.so.0 (0x00007fe3377e4000) libgfrpc.so.0 => /lib64/libgfrpc.so.0 (0x00007fe3375c8000) libgfxdr.so.0 => /lib64/libgfxdr.so.0 (0x00007fe3373af000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fe3371aa000) libssh2.so.1 => /lib64/libssh2.so.1 (0x00007fe336f7e000) libbz2.so.1 => /lib64/libbz2.so.1 (0x00007fe336d6d000) libpixman-1.so.0 => /lib64/libpixman-1.so.0 (0x00007fe336ac5000) libutil.so.1 => /lib64/libutil.so.1 (0x00007fe3368c2000) libnuma.so.1 => /lib64/libnuma.so.1 (0x00007fe3366b6000) libbluetooth.so.3 => /lib64/libbluetooth.so.3 (0x00007fe336494000) libncurses.so.5 => /lib64/libncurses.so.5 (0x00007fe33626e000) libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007fe336043000) libbrlapi.so.0.6 => /lib64/libbrlapi.so.0.6 (0x00007fe335e37000) libasound.so.2 => /lib64/libasound.so.2 (0x00007fe335b4d000) libpulse.so.0 => /lib64/libpulse.so.0 (0x00007fe3358fb000) libpng16.so.16 => /lib64/libpng16.so.16 (0x00007fe3356c8000) libjpeg.so.62 => /lib64/libjpeg.so.62 (0x00007fe33546f000) libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007fe335251000) libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007fe334f1e000) libSDL2-2.0.so.0 => /lib64/libSDL2-2.0.so.0 (0x00007fe334c1e000) libvte2_90.so.9 => /lib64/libvte2_90.so.9 (0x00007fe334976000) libgtk-3.so.0 => /lib64/libgtk-3.so.0 (0x00007fe334052000) libgdk-3.so.0 => /lib64/libgdk-3.so.0 (0x00007fe333d84000) libpangocairo-1.0.so.0 => /lib64/libpangocairo-1.0.so.0 (0x00007fe333b76000) libpango-1.0.so.0 => /lib64/libpango-1.0.so.0 (0x00007fe33392b000) libatk-1.0.so.0 => /lib64/libatk-1.0.so.0 (0x00007fe333705000) libcairo-gobject.so.2 => /lib64/libcairo-gobject.so.2 (0x00007fe3334fb000) libgdk_pixbuf-2.0.so.0 => /lib64/libgdk_pixbuf-2.0.so.0 (0x00007fe3332d5000) libgio-2.0.so.0 => /lib64/libgio-2.0.so.0 (0x00007fe332f55000) libgobject-2.0.so.0 => /lib64/libgobject-2.0.so.0 (0x00007fe332d02000) libcairo.so.2 => /lib64/libcairo.so.2 (0x00007fe3329d9000) libXext.so.6 => /lib64/libXext.so.6 (0x00007fe3327c7000) libnettle.so.6 => /lib64/libnettle.so.6 (0x00007fe33258f000) libxenstore.so.3.0 => /lib64/libxenstore.so.3.0 (0x00007fe332385000) libxenctrl.so.4.5 => /lib64/libxenctrl.so.4.5 (0x00007fe33215a000) libxenguest.so.4.5 => /lib64/libxenguest.so.4.5 (0x00007fe331f2c000) libseccomp.so.2 => /lib64/libseccomp.so.2 (0x00007fe331d00000) librdmacm.so.1 => /lib64/librdmacm.so.1 (0x00007fe331aea000) libibverbs.so.1 => /lib64/libibverbs.so.1 (0x00007fe3318d6000) libfdt.so.1 => /lib64/libfdt.so.1 (0x00007fe3316d0000) libspice-server.so.1 => /lib64/libspice-server.so.1 (0x00007fe3313a0000) libusb-1.0.so.0 => /lib64/libusb-1.0.so.0 (0x00007fe331186000) libusbredirparser.so.1 => /lib64/libusbredirparser.so.1 (0x00007fe330f7e000) libtcmalloc.so.4 => /lib64/libtcmalloc.so.4 (0x00007fe330d09000) librt.so.1 => /lib64/librt.so.1 (0x00007fe330b00000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fe33077e000) libm.so.6 => /lib64/libm.so.6 (0x00007fe33047c000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fe330264000) libc.so.6 => /lib64/libc.so.6 (0x00007fe32fea3000) /lib64/ld-linux-x86-64.so.2 (0x00005646e2da6000) libnvidia-tls.so.358.16 => /usr/lib64/nvidia/tls/libnvidia-tls.so.358.16 (0x00007fe32fc9e000) libnvidia-glcore.so.358.16 => /usr/lib64/nvidia/libnvidia-glcore.so.358.16 (0x00007fe32e03d000) libGLdispatch.so.0 => /usr/lib64/nvidia/libGLdispatch.so.0 (0x00007fe32dda5000) libxcb.so.1 => /lib64/libxcb.so.1 (0x00007fe32db82000) libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007fe32d89d000) libnghttp2.so.14 => /lib64/libnghttp2.so.14 (0x00007fe32d67c000) libidn.so.11 => /lib64/libidn.so.11 (0x00007fe32d447000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe32d1f9000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe32cf12000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe32ccdf000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe32cadb000) liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fe32c8cc000) libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fe32c679000) libboost_thread.so.1.58.0 => /lib64/libboost_thread.so.1.58.0 (0x00007fe32c452000) libboost_system.so.1.58.0 => /lib64/libboost_system.so.1.58.0 (0x00007fe32c24d000) libatomic_ops.so.1 => /lib64/libatomic_ops.so.1 (0x00007fe32c04a000) libattr.so.1 => /lib64/libattr.so.1 (0x00007fe32be44000) libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe32b9e8000) libssl.so.10 => /lib64/libssl.so.10 (0x00007fe32b76f000) libpulsecommon-7.1.so => /usr/lib64/pulseaudio/libpulsecommon-7.1.so (0x00007fe32b4ee000) libX11-xcb.so.1 => /lib64/libX11-xcb.so.1 (0x00007fe32b2ec000) libICE.so.6 => /lib64/libICE.so.6 (0x00007fe32b0d0000) libSM.so.6 => /lib64/libSM.so.6 (0x00007fe32aec6000) libXtst.so.6 => /lib64/libXtst.so.6 (0x00007fe32acc0000) libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fe32ac38000) libjson-c.so.2 => /lib64/libjson-c.so.2 (0x00007fe32aa2c000) libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fe32a821000) libsndfile.so.1 => /lib64/libsndfile.so.1 (0x00007fe32a5c1000) libasyncns.so.0 => /lib64/libasyncns.so.0 (0x00007fe32a3ba000) libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007fe32a16a000) libcap.so.2 => /lib64/libcap.so.2 (0x00007fe329f65000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe329d49000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fe329b13000) libp11-kit.so.0 => /lib64/libp11-kit.so.0 (0x00007fe3298ad000) libtasn1.so.6 => /lib64/libtasn1.so.6 (0x00007fe329699000) libhogweed.so.4 => /lib64/libhogweed.so.4 (0x00007fe32946d000) libgmp.so.10 => /lib64/libgmp.so.10 (0x00007fe3291f5000) libgmodule-2.0.so.0 => /lib64/libgmodule-2.0.so.0 (0x00007fe328ff0000) libXi.so.6 => /lib64/libXi.so.6 (0x00007fe328de0000) libXfixes.so.3 => /lib64/libXfixes.so.3 (0x00007fe328bda000) libatk-bridge-2.0.so.0 => /lib64/libatk-bridge-2.0.so.0 (0x00007fe3289a9000) libpangoft2-1.0.so.0 => /lib64/libpangoft2-1.0.so.0 (0x00007fe328793000) libfontconfig.so.1 => /lib64/libfontconfig.so.1 (0x00007fe32854f000) libXinerama.so.1 => /lib64/libXinerama.so.1 (0x00007fe32834b000) libXrandr.so.2 => /lib64/libXrandr.so.2 (0x00007fe328140000) libXcursor.so.1 => /lib64/libXcursor.so.1 (0x00007fe327f35000) libXcomposite.so.1 => /lib64/libXcomposite.so.1 (0x00007fe327d31000) libXdamage.so.1 => /lib64/libXdamage.so.1 (0x00007fe327b2e000) libxkbcommon.so.0 => /lib64/libxkbcommon.so.0 (0x00007fe3278ee000) libwayland-cursor.so.0 => /lib64/libwayland-cursor.so.0 (0x00007fe3276e5000) libwayland-egl.so.1 => /lib64/libwayland-egl.so.1 (0x00007fe3274e3000) libwayland-client.so.0 => /lib64/libwayland-client.so.0 (0x00007fe3272d5000) libthai.so.0 => /lib64/libthai.so.0 (0x00007fe3270cb000) libharfbuzz.so.0 => /lib64/libharfbuzz.so.0 (0x00007fe326e69000) libfreetype.so.6 => /lib64/libfreetype.so.6 (0x00007fe326bbe000) libxcb-shm.so.0 => /lib64/libxcb-shm.so.0 (0x00007fe3269ba000) libxcb-render.so.0 => /lib64/libxcb-render.so.0 (0x00007fe3267af000) libXrender.so.1 => /lib64/libXrender.so.1 (0x00007fe3265a4000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe326380000) libffi.so.6 => /lib64/libffi.so.6 (0x00007fe326178000) liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fe325f51000) libnl-route-3.so.200 => /lib64/libnl-route-3.so.200 (0x00007fe325ceb000) libnl-3.so.200 => /lib64/libnl-3.so.200 (0x00007fe325aca000) libcacard.so.0 => /lib64/libcacard.so.0 (0x00007fe3258bd000) libcelt051.so.0 => /lib64/libcelt051.so.0 (0x00007fe3256ae000) libopus.so.0 => /lib64/libopus.so.0 (0x00007fe325461000) libudev.so.1 => /lib64/libudev.so.1 (0x00007fe32543f000) libunwind.so.8 => /lib64/libunwind.so.8 (0x00007fe325226000) libXau.so.6 => /lib64/libXau.so.6 (0x00007fe325021000) libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fe324e0d000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe324bfe000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe3249f9000) libdw.so.1 => /lib64/libdw.so.1 (0x00007fe3247af000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fe324596000) libgsm.so.1 => /lib64/libgsm.so.1 (0x00007fe32438a000) libFLAC.so.8 => /lib64/libFLAC.so.8 (0x00007fe32412f000) libvorbisenc.so.2 => /lib64/libvorbisenc.so.2 (0x00007fe323e86000) libfreebl3.so => /lib64/libfreebl3.so (0x00007fe323c09000) libatspi.so.0 => /lib64/libatspi.so.0 (0x00007fe3239d7000) libexpat.so.1 => /lib64/libexpat.so.1 (0x00007fe3237ad000) libdatrie.so.1 => /lib64/libdatrie.so.1 (0x00007fe3235a4000) libgraphite2.so.3 => /lib64/libgraphite2.so.3 (0x00007fe323387000) libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe323116000) libelf.so.1 => /lib64/libelf.so.1 (0x00007fe322f00000) libogg.so.0 => /lib64/libogg.so.0 (0x00007fe322cf8000) libvorbis.so.0 => /lib64/libvorbis.so.0 (0x00007fe322acb000)
(In reply to Brian J. Murrell from comment #18) > $ ldd /usr/bin/qemu-kvm > not a dynamic executable > $ cat /usr/bin/qemu-kvm > #!/bin/sh > > exec /usr/bin/qemu-system-x86_64 -machine accel=kvm "$@" > $ ldd /usr/bin/qemu-system-x86_64 > libGLESv2.so.2 => /usr/lib64/nvidia/libGLESv2.so.2 (0x00007fe33dae6000) > libEGL.so.1 => /usr/lib64/nvidia/libEGL.so.1 (0x00007fe33d5e3000) This will be the cause of the problem. The closed source / proprietary nvidia drivers have replaced the mesa GL libraries with their own versions. These libraries are known to require execmem. Despite the fact that QEMU will not actually use this GL functionality, merely having the nvidia libraries linked into the address space is enough to trigger the execmem errors. There's not really anything libvirt/qemu can do about this and we certainly don't want to allow this in the default policy for sVirt. So anyone with nvidia drivers pretty much just has to run #sudo setsebool -P virt_use_execmem=1 Perhaps setroubleshoot could look for presence of the nvidia libraries and provide a suitable message to users in this case
This was previously reported many times - most recent I remember is https://bugzilla.redhat.com/show_bug.cgi?id=1159823
Is this something we should dontaudit by default, or at least add a boolean to dontaudit.
(In reply to Daniel Walsh from comment #21) > Is this something we should dontaudit by default, or at least add a boolean > to dontaudit. I think it certainly *should* be audited by default as in general it could be a sign of something seriously wrong and thus I think admins should see it. I don't see much point in a boolean for donaudit - nvidia users might as well use the existing warning to permit execmem
Ok then we should work on the text in setroubleshoot, or work on a plugin that can detect the presence of nvidia to tell the user what is going on.
Description of problem: Download the latest Manjaro ISO and load it up in Boxes app. Version-Release number of selected component: selinux-policy-3.13.1-158.6.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.5-300.fc23.x86_64 type: libreport
Description of problem: Just launched a virtual machine with GNOME Boxes. Version-Release number of selected component: selinux-policy-3.13.1-158.6.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.5-300.fc23.x86_64 type: libreport
Description of problem: Ran gnome-boxes. SELinux Troubleshooter came up. Version-Release number of selected component: selinux-policy-3.13.1-158.9.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.3-300.fc23.x86_64 type: libreport
Description of problem: Starting VM with virt-manager Version-Release number of selected component: selinux-policy-3.13.1-158.9.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.5-300.fc23.x86_64 type: libreport
Description of problem: Starting VM in virt-manager. Version-Release number of selected component: selinux-policy-3.13.1-158.12.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-301.fc23.x86_64 type: libreport
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.