Created attachment 1553936 [details] journal with AVC denial Description of problem: Can't start virtlogd.service because SELinux policy is preventing access to /etc/libvirt/virtlogd.conf. Version-Release number of selected component (if applicable): $ rpm-ostree db list d5c2b68a9d6665d803aac15bb18a01ddfda0634a50adbe2954a0cf73b72c37b0 | grep selinux-policy selinux-policy-3.14.3-23.fc30.noarch selinux-policy-targeted-3.14.3-23.fc30.noarch How reproducible: Always. Also was reproducible in F29. Fresh installation of F30 Silverblue. Steps to Reproduce: 1. Install qemu-kvm into the base image of Silverblue 2. Try to create a virtual machine 3. Watch it failing Не удалось завершить установку: «Failed to connect socket to '/var/run/libvirt/virtlogd-sock': Connection refused» Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/create.py", line 2122, in _do_async_install guest.installer_instance.start_install(guest, meter=meter) File "/usr/share/virt-manager/virtinst/installer.py", line 415, in start_install doboot, transient) File "/usr/share/virt-manager/virtinst/installer.py", line 358, in _create_guest domain = self.conn.createXML(install_xml or final_xml, 0) File "/usr/lib64/python3.7/site-packages/libvirt.py", line 3743, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirt.libvirtError: Failed to connect socket to '/var/run/libvirt/virtlogd-sock': Connection refused 4. Find out what virtlogd.service is not even running 5. SELinux blocks access to a config file, 🔥 EVERYTHING IS FINE 🔥 Actual results: $ systemctl start virtlogd.service $ systemctl status virtlogd.service FAIL Expected results: $ systemctl start virtlogd.service $ systemctl status virtlogd.service OK Virtual Machines are working. Additional info:
Hi Egor, Thank you for reporting the issue. In the description, you mentioned access to the config file was denied, in the error message though it rather is the access to the socket file - do I miss something in the report? Please run the following commands to display the current files context and AVC denials: ls -Zla /etc/libvirt /var/run/libvirt ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Hi, I checked your attachment and it looks fixed on the latest selinux-policy rpm package: » audit2allow -i avc #============= virtlogd_t ============== #!!!! This avc is allowed in the current policy allow virtlogd_t virt_etc_rw_t:dir search;
(In reply to Zdenek Pytela from comment #1) > Hi Egor, > > Thank you for reporting the issue. In the description, you mentioned access > to the config file was denied, in the error message though it rather is the > access to the socket file - do I miss something in the report? It fails to connect to the socket, because the daemon isn't running. The deamon can't run because SELinux is blocking access to config file. I should not have published this error I got from virt-manager. Because I've already identified the cause. > Please run the following commands to display the current files context and > AVC denials: I don't know if this would really help, because I've already *fixed* it with audit2allow. $ ls -Zla /etc/libvirt /var/run/libvirt /etc/libvirt: итого 104 drwxr-xr-x. 6 root root system_u:object_r:virt_etc_rw_t:s0 4096 апр 9 23:48 . drwxr-xr-x. 130 root root system_u:object_r:etc_t:s0 12288 апр 10 20:46 .. -rw-r--r--. 1 root root system_u:object_r:virt_etc_t:s0 450 апр 9 23:47 libvirt-admin.conf -rw-r--r--. 1 root root system_u:object_r:virt_etc_t:s0 547 апр 9 23:47 libvirt.conf -rw-r--r--. 1 root root system_u:object_r:virt_etc_t:s0 16529 апр 9 23:47 libvirtd.conf drwx------. 2 root root system_u:object_r:virt_etc_rw_t:s0 4096 апр 9 23:47 nwfilter drwx------. 3 root root system_u:object_r:virt_etc_rw_t:s0 4096 апр 10 00:44 qemu -rw-r--r--. 1 root root system_u:object_r:virt_etc_t:s0 30484 апр 9 23:47 qemu.conf -rw-r--r--. 1 root root system_u:object_r:virt_etc_t:s0 2169 апр 9 23:47 qemu-lockd.conf drwx------. 2 root root system_u:object_r:virt_etc_rw_t:s0 4096 апр 9 23:48 secrets drwxr-xr-x. 3 root root system_u:object_r:virt_etc_rw_t:s0 4096 апр 9 23:48 storage -rw-r--r--. 1 root root system_u:object_r:virt_etc_t:s0 3202 апр 9 23:47 virtlockd.conf -rw-r--r--. 1 root root system_u:object_r:virtlogd_etc_t:s0 3247 апр 9 23:47 virtlogd.conf /var/run/libvirt: итого 0 drwxr-xr-x. 7 root root system_u:object_r:virt_var_run_t:s0 260 апр 10 00:02 . drwxr-xr-x. 47 root root system_u:object_r:var_run_t:s0 1360 апр 10 20:46 .. drwxr-xr-x. 2 root root system_u:object_r:virt_var_run_t:s0 40 апр 9 23:49 hostdevmgr srwx------. 1 root root system_u:object_r:virt_var_run_t:s0 0 апр 9 23:49 libvirt-admin-sock srwxrwxrwx. 1 root root system_u:object_r:virt_var_run_t:s0 0 апр 9 23:49 libvirt-sock srwxrwxrwx. 1 root root system_u:object_r:virt_var_run_t:s0 0 апр 9 23:49 libvirt-sock-ro drwxr-xr-x. 2 root root system_u:object_r:dnsmasq_var_run_t:s0 100 апр 9 23:49 network drwx------. 2 root root system_u:object_r:virt_var_run_t:s0 40 апр 9 23:49 nwfilter-binding drwxr-xr-x. 2 root root system_u:object_r:qemu_var_run_t:s0 40 апр 10 08:36 qemu drwxr-xr-x. 2 root root system_u:object_r:virt_var_run_t:s0 40 апр 9 23:49 storage srw-rw-rw-. 1 root root system_u:object_r:virt_var_run_t:s0 0 апр 9 23:49 virtlockd-sock srw-rw-rw-. 1 root root system_u:object_r:virt_var_run_t:s0 0 апр 10 00:02 virtlogd-admin-sock srw-rw-rw-. 1 root root system_u:object_r:virtlogd_var_run_t:s0 0 апр 9 23:49 virtlogd-sock $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts this-week ---- type=AVC msg=audit(07.04.2019 10:52:52.549:345) : avc: denied { unlink } for pid=15693 comm=systemd-user-ru name=.containerenv dev="tmpfs" ino=301224 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0:c118,c349 tclass=file permissive=0 ---- type=AVC msg=audit(07.04.2019 10:52:52.549:346) : avc: denied { unlink } for pid=15693 comm=systemd-user-ru name=hostname dev="tmpfs" ino=301223 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0:c118,c349 tclass=file permissive=0 ---- type=AVC msg=audit(07.04.2019 10:52:52.549:347) : avc: denied { unlink } for pid=15693 comm=systemd-user-ru name=hosts dev="tmpfs" ino=301222 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(07.04.2019 10:52:52.549:348) : avc: denied { unlink } for pid=15693 comm=systemd-user-ru name=resolv.conf dev="tmpfs" ino=301217 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=0
(In reply to Lukas Vrabec from comment #2) > Hi, > > I checked your attachment and it looks fixed on the latest selinux-policy > rpm package: > > » audit2allow -i avc > > #============= virtlogd_t ============== > > #!!!! This avc is allowed in the current policy > allow virtlogd_t virt_etc_rw_t:dir search; Cool. In which version was it fixed and when it would be pushed to F30?
This permission was added by commit 58e99ba8a7f1f588726319a4bb33801aeaa7ad10 Author: Lukas Vrabec <lvrabec> Date: Tue Mar 26 15:08:02 2019 +0100 Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t diff --git a/virt.te b/virt.te index 200666a81..70ef11c2f 100644 --- a/virt.te +++ b/virt.te @@ -755,6 +755,11 @@ files_search_etc(virtlogd_t) allow virtlogd_t virt_etc_t:lnk_file read_file_perms; allow virtlogd_t virt_etc_t:dir search; +manage_dirs_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_files_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_lnk_files_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t) +filetrans_pattern(virtlogd_t, virt_etc_t, virt_etc_rw_t, dir) + # virtlogd creates /var/run/libvirt/virtlogd-sock with isolated # context from other stuff in /var/run/libvirt filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file }) to f30. It should even be a part of f29 package for a while - see the changelog: * Wed Apr 03 2019 Lukas Vrabec <lvrabec> - 3.14.2-53 - Add gnome_filetrans_fontconfig_home_content interface - Add permissions needed by systemd's machinectl shell/login - Update SELinux policy for xen services - Fix varnisncsa typo - Allow init start freenx-server BZ(1678025) - Allow tcpd bind to services ports BZ(1676940) - Add tcpd_wrapped_domain for telnetd BZ(1676940) - Update mysql_filetrans_named_content() to allow cluster to create mysql dirs in /var/run with proper label mysqld_var_run_t - Make shell_exec_t type as entrypoint for vmtools_unconfined_t. - Allow esmtp access .esmtprc BZ(1691149) - Allow virtlogd_t domain to create virt_etc_rw_t files in virt_etc_t The other denials, reported by ausearch, seem to refer to some other problem which needs investigating.
selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.