Bug 1401715 - virsh/libvirt problems with selinux
Summary: virsh/libvirt problems with selinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-05 23:05 UTC by Robin Powell
Modified: 2017-02-07 16:37 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-191.24.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-02 20:50:55 UTC


Attachments (Terms of Use)

Description Robin Powell 2016-12-05 23:05:52 UTC
I'm not in a position to upgrade this box, so my apologies if this has already been handled, but:

On an F24 box with unconfined disabled, this:

$ sudo virsh start vrici
error: Failed to start domain vrici
error: Failed to recv file descriptor: Permission denied

Generates this:


type=AVC msg=audit(1480978952.178:3957): avc:  denied  { rlimitinh } for  pid=13405 comm="numad" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480978952.178:3958): avc:  denied  { siginh } for  pid=13405 comm="numad" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480978952.178:3959): avc:  denied  { noatsecure } for  pid=13405 comm="numad" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1480978954.213:3960): avc:  denied  { write } for  pid=2088 comm="libvirtd" path="pipe:[680258]" dev="pipefs" ino=680258 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
type=AVC msg=audit(1480978954.214:3961): avc:  denied  { wake_alarm } for  pid=1339 comm="systemd-udevd" capability=35  scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability2 permissive=1
type=AVC msg=audit(1480978954.327:3965): avc:  denied  { getattr } for  pid=2088 comm="libvirtd" path="pipe:[680258]" dev="pipefs" ino=680258 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
type=AVC msg=audit(1480978954.379:3970): avc:  denied  { ioctl } for  pid=13420 comm="grep" path="pipe:[680258]" dev="pipefs" ino=680258 ioctlcmd=0x5401 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1

type=AVC msg=audit(1480978954.621:3971): avc:  denied  { write } for  pid=13410 comm="qemu-system-x86" name="memfd:test" dev="tmpfs" ino=673769 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1480978954.621:3972): avc:  denied  { read } for  pid=13410 comm="qemu-system-x86" path=2F6D656D66643A74657374202864656C6574656429 dev="tmpfs" ino=673769 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Comment 1 Robin Powell 2017-01-02 09:31:14 UTC
Do you need any additional input here?

Comment 2 Daniel Walsh 2017-01-04 18:23:40 UTC
I think https://github.com/fedora-selinux/selinux-policy/pull/179 will fix your issue.

Comment 3 Lukas Vrabec 2017-01-06 12:32:50 UTC
Thanks Dan.

Comment 4 Fedora Update System 2017-01-09 14:03:13 UTC
selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe

Comment 5 Fedora Update System 2017-01-10 03:23:39 UTC
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe

Comment 6 Fedora Update System 2017-02-02 20:50:55 UTC
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Robin Powell 2017-02-07 16:37:46 UTC
Confirmed working.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.