Bug 1293722 - need selinux policy for new libvirt daemon virtlogd
need selinux policy for new libvirt daemon virtlogd
Status: CLOSED DUPLICATE of bug 1291940
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-22 15:36 EST by Giulio 'juliuxpigface'
Modified: 2016-01-20 09:50 EST (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-20 09:50:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output of "# journalctl -b 0 -u virtlogd.socket" (399 bytes, text/plain)
2015-12-22 15:36 EST, Giulio 'juliuxpigface'
no flags Details

  None (edit)
Description Giulio 'juliuxpigface' 2015-12-22 15:36:58 EST
Created attachment 1108703 [details]
output of "# journalctl -b 0 -u virtlogd.socket"

Description of problem:
Everytime I start a qemu-kvm guest (which contains Fedora 20151218 Rawhide - Workstation), I see that unit failing. 

Version-Release number of selected component (if applicable):
libvirt-daemon-1.3.0-1.fc24.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Boot Fedora 20151218 (installed on a qemu-kvm x86_64 guest).
2. Log in.
3. Read the output of "# systemctl --all --failed".

Actual results:
The unit "virtlogd.socket" fails.

Expected results:
The unit "virtlogd.socket" should not fail.

Additional info:
I'm attaching the output of "# journalctl -b 0 -u virtlogd.socket"
Comment 1 Daniel Berrange 2015-12-23 04:46:34 EST
Can you say if you have SELinux enabled, and if so provide the /var/log/audit/audit.log file contents after boot
Comment 2 Kohei Takahashi 2016-01-05 09:49:22 EST
Following module avoids this issue. I hope that will help you.

```
module bug1293722 1;

require {
    type iptables_t;
    type firewalld_tmpfs_t;
    type unconfined_service_t;
    type init_t;
    class file { read write };
    class unix_stream_socket { create setopt bind listen };
}

allow iptables_t firewalld_tmpfs_t:file { read write };
allow init_t unconfined_service_t:unix_stream_socket { create setopt bind listen };
```
Comment 3 Cole Robinson 2016-01-15 14:40:08 EST
(In reply to Kohei Takahashi from comment #2)
> Following module avoids this issue. I hope that will help you.
> 
> ```
> module bug1293722 1;
> 
> require {
>     type iptables_t;
>     type firewalld_tmpfs_t;
>     type unconfined_service_t;
>     type init_t;
>     class file { read write };
>     class unix_stream_socket { create setopt bind listen };
> }
> 
> allow iptables_t firewalld_tmpfs_t:file { read write };
> allow init_t unconfined_service_t:unix_stream_socket { create setopt bind
> listen };
> ```

I don't know why the firewall bits are in there, virtlogd shouldn't be touching that stuff. Definitely needs the unix bits though. Here's the AVCs I get:

type=AVC msg=audit(1452886623.735:766): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1452886623.735:767): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1452886623.735:768): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1452886623.735:769): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1452886623.738:770): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 4 Lukas Vrabec 2016-01-20 09:50:01 EST
Hi, 

Rule related to iptables is different issue in SELinux. Other troubles are fixed now. Closing as duplicate.

*** This bug has been marked as a duplicate of bug 1291940 ***

Note You need to log in before you can comment on or make changes to this bug.