Bug 1299805 - selinux prevents virtlogd to start
selinux prevents virtlogd to start
Status: CLOSED DUPLICATE of bug 1291940
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-19 05:04 EST by Elvir Kuric
Modified: 2016-01-19 09:04 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-19 09:04:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Elvir Kuric 2016-01-19 05:04:12 EST
Description of problem:

# virsh start <domain> 
will fail will 
--
error: Failed to start domain dnsnode1
error: Failed to connect socket to '/var/run/libvirt/virtlogd-sock': No such file or directory

-- 
Version-Release number of selected component (if applicable):

# rpm -qa | egrep 'selinux|libvirt' 
libvirt-python-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-lxc-1.3.0-1.fc24.x86_64
libvirt-daemon-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-uml-1.3.0-1.fc24.x86_64
libvirt-daemon-kvm-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-network-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-qemu-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-secret-1.3.0-1.fc24.x86_64
selinux-policy-3.13.1-166.fc24.noarch
libvirt-glib-0.2.3-1.fc24.x86_64
libvirt-daemon-config-network-1.3.0-1.fc24.x86_64
libvirt-1.3.0-1.fc24.x86_64
libselinux-utils-2.4-7.fc24.x86_64
libvirt-daemon-driver-libxl-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-nwfilter-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-xen-1.3.0-1.fc24.x86_64
libvirt-client-1.3.0-1.fc24.x86_64
libselinux-2.4-7.fc24.x86_64
docker-selinux-1.10.0-12.gitc3726aa.fc24.x86_64
libvirt-daemon-driver-nodedev-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-vbox-1.3.0-1.fc24.x86_64
rpm-plugin-selinux-4.13.0-0.rc1.16.fc24.x86_64
selinux-policy-targeted-3.13.1-166.fc24.noarch
libselinux-python-2.4-7.fc24.x86_64
libvirt-daemon-driver-interface-1.3.0-1.fc24.x86_64
libselinux-devel-2.4-7.fc24.x86_64
libvirt-daemon-driver-storage-1.3.0-1.fc24.x86_64
libselinux-python3-2.4-7.fc24.x86_64
rubygem-ruby-libvirt-0.6.0-2.fc24.x86_64
libselinux-2.4-7.fc24.i686
libvirt-daemon-config-nwfilter-1.3.0-1.fc24.x86_64


uname -a
Linux e-makina 4.4.0-1.fc24.x86_64 #1 SMP Mon Jan 11 16:48:24 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


and latest 

dnf update -y 


How reproducible:

I guess fedora rawhide is affected with this, boot fedora rawhide with kvm/libvirt and check is virtlogd started after boot / try to start virtlogd service 

Actual results:

virtlogd service fails to start 

Expected results:

virtlogd service to start 

Additional info:

# journalctl -u virtlogd

Jan 19 10:40:14 e-makina systemd[1]: Dependency failed for Virtual machine log manager.
Jan 19 10:40:14 e-makina systemd[1]: virtlogd.service: Job virtlogd.service/start failed with result 'dependency'.
Jan 19 10:41:07 e-makina systemd[1]: Dependency failed for Virtual machine log manager.
Jan 19 10:41:07 e-makina systemd[1]: virtlogd.service: Job virtlogd.service/start failed with result 'dependency'.


# grep virtlog audit.log
type=AVC msg=audit(1451894308.816:700): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1451894308.835:701): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1451926138.841:2156): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1451926138.842:2157): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1452174934.886:1282): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1452174934.900:1283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452184007.338:1643): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452246753.636:831): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452246761.561:835): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452246761.580:836): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452246763.160:837): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452246763.181:838): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452271456.125:1839): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452271456.125:1840): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452504565.662:747): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'



# setenforce 0 ; systemctl start virtlogd ; virsh start <domain> -- works 
# setenforce 1 ; - now possible to start new domains , I think selinux is preventing virtlog to bind on necessary sockets it needs
Comment 1 Lukas Vrabec 2016-01-19 09:04:43 EST

*** This bug has been marked as a duplicate of bug 1291940 ***

Note You need to log in before you can comment on or make changes to this bug.