Description of problem: On normal shutdown of VM. Same issue occurs with a ppc VM; both that and this aarch64 VM under KVM on an x86_64 Fedora 28 host. Happens every shutdown. SELinux is preventing qemu-system-aar from 'search' accesses on the directory 1178. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-system-aar should be allowed search access on the 1178 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-system-aar' --raw | audit2allow -M my-qemusystemaar # semodule -X 300 -i my-qemusystemaar.pp Additional Information: Source Context system_u:system_r:svirt_tcg_t:s0:c382,c451 Target Context system_u:system_r:virtd_t:s0-s0:c0.c1023 Target Objects 1178 [ dir ] Source qemu-system-aar Source Path qemu-system-aar Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.16.16-300.fc28.x86_64 #1 SMP Sun Jun 17 03:02:42 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-06-24 23:28:10 BST Last Seen 2018-06-24 23:28:10 BST Local ID ee18276e-1164-41f5-9ffe-eb1798cf31e2 Raw Audit Messages type=AVC msg=audit(1529879290.901:81455): avc: denied { search } for pid=8131 comm="qemu-system-aar" name="1178" dev="proc" ino=1730648 scontext=system_u:system_r:svirt_tcg_t:s0:c382,c451 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=0 Hash: qemu-system-aar,svirt_tcg_t,virtd_t,dir,search Version-Release number of selected component: selinux-policy-3.14.1-32.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.16-300.fc28.x86_64 type: libreport
Hi, Do you have some issues during shutdown process of VMs or you just see the SELinux denials? Thanks, Lukas.
(In reply to Lukas Vrabec from comment #1) > Do you have some issues during shutdown process of VMs or you just see the > SELinux denials? Purely the latter. The VM closes down cleanly and there are no apparent problems on the next startup.
Jeremy thanks for reply. I'll close it for know, if you'll be able to reproduce it, feel free to re-open this BZ. Lukas.
It is fully repeatable. Every time one of these two VMs is closed down, an abrt report is generated on the host.
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Problem still exists with selinux-policy-3.14.1-36.fc28.noarch but the directory name is now "1191".
Description of problem: Closing down an aarch64 (emulated) VM Version-Release number of selected component: selinux-policy-3.14.1-36.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.17.9-200.fc28.x86_64 type: libreport
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
commit 50a45a0b447e73463ce7ce24d3bf5e7a8fa03a1f (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed May 15 08:59:53 2019 +0200 Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)
selinux-policy-3.14.2-59.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619
selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619
selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.