Hide Forgot
+++ This bug was initially created as a clone of Bug #1245323 +++ SELinux is preventing spice-vdagent from 'getattr' accesses on the chr_file /dev/vport1p2. Steps to reproduce: 1. Install Fedora-Live-Workstation-x86_64-23-20150717.iso via virt-manager 2. Boot the qemu-kvm guest 3. Open the appropriate utility in order to look for SELinux' warnings Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:virtio_device_t:s0 Target Objects /dev/vport1p2 [ chr_file ] Source spice-vdagent Source Path spice-vdagent Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-136.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.2.0-0.rc2.git1.1.fc23.x86_64 #1 SMP Wed Jul 15 16:09:32 UTC 2015 x86_64 x86_64 Alert Count 3 First Seen 2015-07-19 22:08:56 CEST Last Seen 2015-07-21 20:07:28 CEST Local ID 89a0831c-ec58-40db-8497-69434d679732 Raw Audit Messages type=AVC msg=audit(1437502048.484:501): avc: denied { getattr } for pid=1400 comm="spice-vdagent" path="/dev/vport1p2" dev="devtmpfs" ino=10376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0 Hash: spice-vdagent,xdm_t,virtio_device_t,chr_file,getattr
It happens in RHEL7.3 so cloning, it blocks spice-vdagent from running in gdm - bug 1271267 SELinux is preventing /usr/bin/spice-vdagent from getattr access on the chr_file /dev/vport1p2. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that spice-vdagent should be allowed getattr access on the vport1p2 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep spice-vdagent /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:virtio_device_t:s0 Target Objects /dev/vport1p2 [ chr_file ] Source spice-vdagent Source Path /usr/bin/spice-vdagent Port <Unknown> Host localhost.localdomain Source RPM Packages spice-vdagent-0.14.0-10.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost.localdomain Platform Linux localhost.localdomain 3.10.0-356.el7.x86_64 #1 SMP Tue Mar 1 19:37:52 EST 2016 x86_64 x86_64 Alert Count 61 First Seen 2016-01-13 11:39:23 CET Last Seen 2016-03-11 19:25:35 CET Local ID 4146f6fe-6c85-430e-ba32-da4c764c204c Raw Audit Messages type=AVC msg=audit(1457720735.952:380): avc: denied { getattr } for pid=2516 comm="spice-vdagent" path="/dev/vport1p2" dev="devtmpfs" ino=8296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1457720735.952:380): arch=x86_64 syscall=stat success=yes exit=0 a0=409bd0 a1=7ffeca54c510 a2=7ffeca54c510 a3=7ffeca54c200 items=0 ppid=2489 pid=2516 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=spice-vdagent exe=/usr/bin/spice-vdagent subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: spice-vdagent,xdm_t,virtio_device_t,chr_file,getattr
I believe this bug is a duplicate of BZ#1249020.
*** This bug has been marked as a duplicate of bug 1249020 ***