Description of problem: Component qemu-guest-agent is installed and its associated service running. From hypervisor Service responses have been tested using virsh command, also IP addresses hava been queried. SELinux is preventing qemu-ga from 'read' accesses on the file dev. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-ga should be allowed read access on the dev file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga # semodule -X 300 -i my-qemuga.pp Additional Information: Source Context system_u:system_r:virt_qemu_ga_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects dev [ file ] Source qemu-ga Source Path qemu-ga Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages filesystem-3.8-2.fc28.x86_64 Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.14-300.fc28.x86_64 #1 SMP Tue Jun 5 16:23:44 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-06-17 21:35:25 CEST Last Seen 2018-06-17 21:35:25 CEST Local ID cb9bfb25-d70f-4349-b998-44264ed3575d Raw Audit Messages type=AVC msg=audit(1529264125.701:221): avc: denied { read } for pid=638 comm="qemu-ga" name="dev" dev="proc" ino=4026532013 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 Hash: qemu-ga,virt_qemu_ga_t,proc_net_t,file,read Version-Release number of selected component: selinux-policy-3.14.1-32.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.14-300.fc28.x86_64 type: libreport
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Still seeing this w/ selinux-policy-3.14.1-40.fc28.noarch SELinux is preventing qemu-ga from read access on the file dev. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-ga should be allowed read access on the dev file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga # semodule -X 300 -i my-qemuga.pp Additional Information: Source Context system_u:system_r:virt_qemu_ga_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects dev [ file ] Source qemu-ga Source Path qemu-ga Port <Unknown> Host fedorashell Source RPM Packages Target RPM Packages filesystem-3.8-2.fc28.x86_64 Policy RPM selinux-policy-3.14.1-40.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedorashell Platform Linux fedorashell 4.17.14-202.fc28.x86_64 #1 SMP Wed Aug 15 12:29:25 UTC 2018 x86_64 x86_64 Alert Count 65124 First Seen 2018-08-17 13:30:39 EDT Last Seen 2018-09-09 10:16:05 EDT Local ID f5489cc8-6995-4cf4-bfc4-b75a82a74653 Raw Audit Messages type=AVC msg=audit(1536502565.78:15568): avc: denied { read } for pid=771 comm="qemu-ga" name="dev" dev="proc" ino=4026532012 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 Hash: qemu-ga,virt_qemu_ga_t,proc_net_t,file,read
https://github.com/fedora-selinux/selinux-policy-contrib/commit/6d09cc386040719b40517b9b8311ca40ea6741b0
selinux-policy-3.14.1-44.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5e18426088
selinux-policy-3.14.1-44.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5e18426088
selinux-policy-3.14.1-44.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.