Hide Forgot
Description of problem: vdsm requires access to lldpad's information, but SELinux does not allow lldpad to send the information. SELinux is preventing /usr/sbin/lldpad from sendto access on the unix_dgram_socket @/com/intel/lldpad/11440. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lldpad should be allowed sendto access on the 11440 unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lldpad' --raw | audit2allow -M my-lldpad # semodule -i my-lldpad.pp Additional Information: Source Context system_u:system_r:lldpad_t:s0 Target Context system_u:system_r:virtd_t:s0-s0:c0.c1023 Target Objects @/com/intel/lldpad/11440 [ unix_dgram_socket ] Source lldpad Source Path /usr/sbin/lldpad Port <Unknown> Host <Unknown> Source RPM Packages lldpad-1.0.1-3.git036e314.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name selinuxtest Platform Linux selinuxtest 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64 Alert Count 10 First Seen 2017-07-19 10:36:26 CEST Last Seen 2017-07-19 10:47:01 CEST Local ID 9ac73daa-d7e3-4650-92e8-602820c3d1d8 Raw Audit Messages type=SYSCALL msg=audit(1500454021.369:315): arch=x86_64 syscall=sendto success=no exit=EACCES a0=3 a1=7f82973bfb10 a2=28 a3=0 items=0 ppid=1 pid=10901 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) type=AVC msg=audit(1500454021.369:315): avc: denied { sendto } for pid=10901 comm="lldpad" path=002F636F6D2F696E74656C2F6C6C647061642F3131343430 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket Hash: lldpad,lldpad_t,virtd_t,unix_dgram_socket,sendto
Yes, it blocks the linked RFE.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763