Description of problem: Creating and/or running lxc containers from virt-manager SELinux is preventing systemd from 'prog_run' accesses on the bpf labeled virtd_lxc_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed prog_run access on bpf labeled virtd_lxc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp Additional Information: Source Context system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 Target Context system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 Target Objects Unknown [ bpf ] Source systemd Source Path systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-44.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.19.10-300.fc29.x86_64 #1 SMP Mon Dec 17 15:34:44 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-12-31 01:18:38 IST Last Seen 2018-12-31 01:21:21 IST Local ID 7f0b8f6f-09ca-4b84-83e5-722c364d5e59 Raw Audit Messages type=AVC msg=audit(1546199481.490:906): avc: denied { prog_run } for pid=16139 comm="systemd" scontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 tclass=bpf permissive=1 Hash: systemd,virtd_lxc_t,virtd_lxc_t,bpf,prog_run Version-Release number of selected component: selinux-policy-3.14.2-44.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.19.10-300.fc29.x86_64 type: libreport
commit 8179645ec28306e38fd37dce86d9c1cd21ec7728 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Thu Jan 10 18:44:23 2019 +0100 Allow virtd_lxc_t domains use BPF BZ(1662613)
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.