Red Hat Bugzilla – Bug 1293722
need selinux policy for new libvirt daemon virtlogd
Last modified: 2016-01-20 09:50:01 EST
Created attachment 1108703 [details] output of "# journalctl -b 0 -u virtlogd.socket" Description of problem: Everytime I start a qemu-kvm guest (which contains Fedora 20151218 Rawhide - Workstation), I see that unit failing. Version-Release number of selected component (if applicable): libvirt-daemon-1.3.0-1.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Boot Fedora 20151218 (installed on a qemu-kvm x86_64 guest). 2. Log in. 3. Read the output of "# systemctl --all --failed". Actual results: The unit "virtlogd.socket" fails. Expected results: The unit "virtlogd.socket" should not fail. Additional info: I'm attaching the output of "# journalctl -b 0 -u virtlogd.socket"
Can you say if you have SELinux enabled, and if so provide the /var/log/audit/audit.log file contents after boot
Following module avoids this issue. I hope that will help you. ``` module bug1293722 1; require { type iptables_t; type firewalld_tmpfs_t; type unconfined_service_t; type init_t; class file { read write }; class unix_stream_socket { create setopt bind listen }; } allow iptables_t firewalld_tmpfs_t:file { read write }; allow init_t unconfined_service_t:unix_stream_socket { create setopt bind listen }; ```
(In reply to Kohei Takahashi from comment #2) > Following module avoids this issue. I hope that will help you. > > ``` > module bug1293722 1; > > require { > type iptables_t; > type firewalld_tmpfs_t; > type unconfined_service_t; > type init_t; > class file { read write }; > class unix_stream_socket { create setopt bind listen }; > } > > allow iptables_t firewalld_tmpfs_t:file { read write }; > allow init_t unconfined_service_t:unix_stream_socket { create setopt bind > listen }; > ``` I don't know why the firewall bits are in there, virtlogd shouldn't be touching that stuff. Definitely needs the unix bits though. Here's the AVCs I get: type=AVC msg=audit(1452886623.735:766): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1452886623.735:767): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1452886623.735:768): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1452886623.735:769): avc: denied { listen } for pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 type=SERVICE_START msg=audit(1452886623.738:770): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Hi, Rule related to iptables is different issue in SELinux. Other troubles are fixed now. Closing as duplicate. *** This bug has been marked as a duplicate of bug 1291940 ***