Bug 1293722 - need selinux policy for new libvirt daemon virtlogd
Summary: need selinux policy for new libvirt daemon virtlogd
Keywords:
Status: CLOSED DUPLICATE of bug 1291940
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-22 20:36 UTC by Giulio 'juliuxpigface'
Modified: 2016-01-20 14:50 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-20 14:50:01 UTC
Type: Bug


Attachments (Terms of Use)
output of "# journalctl -b 0 -u virtlogd.socket" (399 bytes, text/plain)
2015-12-22 20:36 UTC, Giulio 'juliuxpigface'
no flags Details

Description Giulio 'juliuxpigface' 2015-12-22 20:36:58 UTC
Created attachment 1108703 [details]
output of "# journalctl -b 0 -u virtlogd.socket"

Description of problem:
Everytime I start a qemu-kvm guest (which contains Fedora 20151218 Rawhide - Workstation), I see that unit failing. 

Version-Release number of selected component (if applicable):
libvirt-daemon-1.3.0-1.fc24.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Boot Fedora 20151218 (installed on a qemu-kvm x86_64 guest).
2. Log in.
3. Read the output of "# systemctl --all --failed".

Actual results:
The unit "virtlogd.socket" fails.

Expected results:
The unit "virtlogd.socket" should not fail.

Additional info:
I'm attaching the output of "# journalctl -b 0 -u virtlogd.socket"

Comment 1 Daniel Berrangé 2015-12-23 09:46:34 UTC
Can you say if you have SELinux enabled, and if so provide the /var/log/audit/audit.log file contents after boot

Comment 2 Kohei Takahashi 2016-01-05 14:49:22 UTC
Following module avoids this issue. I hope that will help you.

```
module bug1293722 1;

require {
    type iptables_t;
    type firewalld_tmpfs_t;
    type unconfined_service_t;
    type init_t;
    class file { read write };
    class unix_stream_socket { create setopt bind listen };
}

allow iptables_t firewalld_tmpfs_t:file { read write };
allow init_t unconfined_service_t:unix_stream_socket { create setopt bind listen };
```

Comment 3 Cole Robinson 2016-01-15 19:40:08 UTC
(In reply to Kohei Takahashi from comment #2)
> Following module avoids this issue. I hope that will help you.
> 
> ```
> module bug1293722 1;
> 
> require {
>     type iptables_t;
>     type firewalld_tmpfs_t;
>     type unconfined_service_t;
>     type init_t;
>     class file { read write };
>     class unix_stream_socket { create setopt bind listen };
> }
> 
> allow iptables_t firewalld_tmpfs_t:file { read write };
> allow init_t unconfined_service_t:unix_stream_socket { create setopt bind
> listen };
> ```

I don't know why the firewall bits are in there, virtlogd shouldn't be touching that stuff. Definitely needs the unix bits though. Here's the AVCs I get:

type=AVC msg=audit(1452886623.735:766): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1452886623.735:767): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1452886623.735:768): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1452886623.735:769): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1452886623.738:770): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Comment 4 Lukas Vrabec 2016-01-20 14:50:01 UTC
Hi, 

Rule related to iptables is different issue in SELinux. Other troubles are fixed now. Closing as duplicate.

*** This bug has been marked as a duplicate of bug 1291940 ***


Note You need to log in before you can comment on or make changes to this bug.