1299805 – selinux prevents virtlogd to start

Bug 1299805 - selinux prevents virtlogd to start

Summary: selinux prevents virtlogd to start

Keywords:
Status:	CLOSED DUPLICATE of bug 1291940
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-19 10:04 UTC by Elvir Kuric
Modified:	2016-01-19 14:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-19 14:04:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Elvir Kuric 2016-01-19 10:04:12 UTC

Description of problem:

# virsh start <domain> 
will fail will 
--
error: Failed to start domain dnsnode1
error: Failed to connect socket to '/var/run/libvirt/virtlogd-sock': No such file or directory

-- 
Version-Release number of selected component (if applicable):

# rpm -qa | egrep 'selinux|libvirt' 
libvirt-python-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-lxc-1.3.0-1.fc24.x86_64
libvirt-daemon-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-uml-1.3.0-1.fc24.x86_64
libvirt-daemon-kvm-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-network-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-qemu-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-secret-1.3.0-1.fc24.x86_64
selinux-policy-3.13.1-166.fc24.noarch
libvirt-glib-0.2.3-1.fc24.x86_64
libvirt-daemon-config-network-1.3.0-1.fc24.x86_64
libvirt-1.3.0-1.fc24.x86_64
libselinux-utils-2.4-7.fc24.x86_64
libvirt-daemon-driver-libxl-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-nwfilter-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-xen-1.3.0-1.fc24.x86_64
libvirt-client-1.3.0-1.fc24.x86_64
libselinux-2.4-7.fc24.x86_64
docker-selinux-1.10.0-12.gitc3726aa.fc24.x86_64
libvirt-daemon-driver-nodedev-1.3.0-1.fc24.x86_64
libvirt-daemon-driver-vbox-1.3.0-1.fc24.x86_64
rpm-plugin-selinux-4.13.0-0.rc1.16.fc24.x86_64
selinux-policy-targeted-3.13.1-166.fc24.noarch
libselinux-python-2.4-7.fc24.x86_64
libvirt-daemon-driver-interface-1.3.0-1.fc24.x86_64
libselinux-devel-2.4-7.fc24.x86_64
libvirt-daemon-driver-storage-1.3.0-1.fc24.x86_64
libselinux-python3-2.4-7.fc24.x86_64
rubygem-ruby-libvirt-0.6.0-2.fc24.x86_64
libselinux-2.4-7.fc24.i686
libvirt-daemon-config-nwfilter-1.3.0-1.fc24.x86_64


uname -a
Linux e-makina 4.4.0-1.fc24.x86_64 #1 SMP Mon Jan 11 16:48:24 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


and latest 

dnf update -y 


How reproducible:

I guess fedora rawhide is affected with this, boot fedora rawhide with kvm/libvirt and check is virtlogd started after boot / try to start virtlogd service 

Actual results:

virtlogd service fails to start 

Expected results:

virtlogd service to start 

Additional info:

# journalctl -u virtlogd

Jan 19 10:40:14 e-makina systemd[1]: Dependency failed for Virtual machine log manager.
Jan 19 10:40:14 e-makina systemd[1]: virtlogd.service: Job virtlogd.service/start failed with result 'dependency'.
Jan 19 10:41:07 e-makina systemd[1]: Dependency failed for Virtual machine log manager.
Jan 19 10:41:07 e-makina systemd[1]: virtlogd.service: Job virtlogd.service/start failed with result 'dependency'.


# grep virtlog audit.log
type=AVC msg=audit(1451894308.816:700): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1451894308.835:701): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1451926138.841:2156): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1451926138.842:2157): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1452174934.886:1282): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/libvirt/virtlogd-sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1452174934.900:1283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452184007.338:1643): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452246753.636:831): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452246761.561:835): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452246761.580:836): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452246763.160:837): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452246763.181:838): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452271456.125:1839): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1452271456.125:1840): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1452504565.662:747): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtlogd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'



# setenforce 0 ; systemctl start virtlogd ; virsh start <domain> -- works 
# setenforce 1 ; - now possible to start new domains , I think selinux is preventing virtlog to bind on necessary sockets it needs

Comment 1 Lukas Vrabec 2016-01-19 14:04:43 UTC


*** This bug has been marked as a duplicate of bug 1291940 ***

Note You need to log in before you can comment on or make changes to this bug.