Bug 1329291 - SELinux is preventing virtlogd from 'open' accesses on the file /proc/<pid>/stat.
Summary: SELinux is preventing virtlogd from 'open' accesses on the file /proc/<pid>/s...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7dc1abc4f2e6eda548ad11728b9...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-21 14:33 UTC by Cole Robinson
Modified: 2016-04-22 07:46 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-22 07:46:40 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Cole Robinson 2016-04-21 14:33:19 UTC 
Description of problem:
This happens at VM startup... generic libvirt infrastructure wants to get the process start time of the client pid that is passing us an fd over unix socket, since it's used in some cases (like with polkit). The polkit bit doesn't apply to virtlogd but I figure it's harmless enough anyways. The pid in this case is libvirtd which is the only virtlogd client

SELinux is preventing virtlogd from 'open' accesses on the file /proc/<pid>/stat.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that virtlogd should be allowed open access on the stat file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c virtlogd --raw | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virtlogd_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                /proc/<pid>/stat [ file ]
Source                        virtlogd
Source Path                   virtlogd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-182.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.5.1-300.fc24.x86_64 #1 SMP Tue
                              Apr 12 18:55:06 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-04-21 10:23:11 EDT
Last Seen                     2016-04-21 10:23:39 EDT
Local ID                      64e6a035-82a3-4306-98bf-e9478946e008

Raw Audit Messages
type=AVC msg=audit(1461248619.426:2047): avc:  denied  { open } for  pid=19218 comm="virtlogd" path="/proc/17098/stat" dev="proc" ino=2227275 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1


Hash: virtlogd,virtlogd_t,unconfined_t,file,open

Version-Release number of selected component:
selinux-policy-3.13.1-182.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.1-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport
Comment 1 Cole Robinson 2016-04-21 14:35:43 UTC 
Part of the problem was that I was running libvirtd manually from git, which is why proc label is unconfined_t. Normally libvirtd is running as virtd, which doesn't cause selinux violations. Not sure what do here then...
Comment 2 Lukas Vrabec 2016-04-22 07:46:40 UTC 
Hi Cole, 

Problem here is like you write in comment 1. You need to start virtd properly to have proper label on virtd. 

Closing this as NOTABUG.
Note You need to log in before you can comment on or make changes to this bug.