RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1797899 - virt-admin failed to connect virtlogd daemon
Summary: virt-admin failed to connect virtlogd daemon
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-04 07:49 UTC by yafu
Modified: 2021-11-10 08:25 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.3-76.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-09 19:42:28 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:42:56 UTC

Internal Links: 1994592

Description yafu 2020-02-04 07:49:54 UTC 
Description of problem:
virt-admin failed to connect virtlogd daemon

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-38.el8.noarch
libvirt-6.0.0-2.module+el8.2.0+5513+34927b6c.x86_64

How reproducible:
100%

Steps to Reproduce:
1.#virt-admin -c virtlogd:///socket
error: Failed to connect to the admin server
error: Cannot recv data: Connection reset by peer

2.Check the syslog:
#cat /var/log/messages
Feb  4 02:37:33 * journal[3929]: Failed to open file '/proc/6237/stat': Permission denied
Feb  4 02:37:37 * setroubleshoot[6265]: SELinux is preventing virtlogd from search access on the directory 6237. For complete SELinux messages run: sealert -l 5259ac6d-f639-4ad0-b1cd-b88228286e93
Feb  4 02:37:37 * platform-python[6265]: SELinux is preventing virtlogd from search access on the directory 6237.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that virtlogd should be allowed search access on the 6237 directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'virtlogd' --raw | audit2allow -M my-virtlogd#012# semodule -X 300 -i my-virtlogd.pp#012


3.

Actual results:
virt-admin failed to connect virtlogd daemon.

Expected results:
virt-admin should connect virtlogd daemon successfully.

Additional info:
Audit message:
type=AVC msg=audit(1580801853.336:2564): avc:  denied  { search } for  pid=3929 comm="virtlogd" name="6237" dev="proc" ino=117626 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
Comment 1 Milos Malik 2020-02-04 08:10:50 UTC 
Here is a reproducer:

# service virtlogd start
# service virtlogd status
# systemctl enable virtlogd-admin.socket
# systemctl start virtlogd-admin.socket
# systemctl status virtlogd-admin.socket
# virt-admin -c virtlogd:/system
error: Failed to connect to the admin server
error: Cannot recv data: Connection reset by peer
#

Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(02/04/2020 03:01:52.498:344) : proctitle=/usr/sbin/virtlogd 
type=PATH msg=audit(02/04/2020 03:01:52.498:344) : item=0 name=/proc/6078/stat nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/04/2020 03:01:52.498:344) : cwd=/ 
type=SYSCALL msg=audit(02/04/2020 03:01:52.498:344) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55be8c3baa80 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=5612 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/04/2020 03:01:52.498:344) : avc:  denied  { search } for  pid=5612 comm=virtlogd name=6078 dev="proc" ino=37809 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(02/04/2020 03:05:47.764:347) : proctitle=/usr/sbin/virtlogd 
type=PATH msg=audit(02/04/2020 03:05:47.764:347) : item=0 name=/proc/6084/stat inode=37875 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/04/2020 03:05:47.764:347) : cwd=/ 
type=SYSCALL msg=audit(02/04/2020 03:05:47.764:347) : arch=x86_64 syscall=openat success=yes exit=11 a0=0xffffff9c a1=0x55be8c3bb840 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=5612 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/04/2020 03:05:47.764:347) : avc:  denied  { open } for  pid=5612 comm=virtlogd path=/proc/6084/stat dev="proc" ino=37875 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1 
type=AVC msg=audit(02/04/2020 03:05:47.764:347) : avc:  denied  { read } for  pid=5612 comm=virtlogd name=stat dev="proc" ino=37875 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1 
type=AVC msg=audit(02/04/2020 03:05:47.764:347) : avc:  denied  { search } for  pid=5612 comm=virtlogd name=6084 dev="proc" ino=37864 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1 
----
Comment 2 Milos Malik 2020-02-04 08:24:29 UTC 
There are in fact 2 different admin sockets:

# ls /usr/lib/systemd/system/*virt*admin*socket
/usr/lib/systemd/system/virtlockd-admin.socket
/usr/lib/systemd/system/virtlogd-admin.socket
#

but both services are labeled the same way:

# matchpathcon /usr/sbin/virtlockd 
/usr/sbin/virtlockd	system_u:object_r:virtlogd_exec_t:s0
# matchpathcon /usr/sbin/virtlogd 
/usr/sbin/virtlogd	system_u:object_r:virtlogd_exec_t:s0
#

that's way it does not matter if virtlockd-admin.socket or virtlogd-admin.socket is used, because SELinux denials which are triggered have the same scontext= and tcontext= values as in comment#1.
Comment 3 Milos Malik 2020-02-04 08:29:34 UTC 
# rpm -qa selinux\* libvirt\* | sort
libvirt-admin-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64
libvirt-bash-completion-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64
libvirt-daemon-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64
libvirt-libs-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64
selinux-policy-3.14.3-38.el8.noarch
selinux-policy-targeted-3.14.3-38.el8.noarch
# virt-admin -c virtlockd:/system
error: Failed to connect to the admin server
error: Cannot recv data: Connection reset by peer
# virt-admin -c virtlogd:/system
error: Failed to connect to the admin server
error: Cannot recv data: Connection reset by peer
#
Comment 8 Jiri Denemark 2020-03-19 13:57:15 UTC 
According to the AVCs virtlogd reads /proc/$PID/stat to get the startup time
of the process connecting to it via a UNIX socket. This is apparently needed
for polkit checks as explained in the commit which introduced this 7 years ago
(at that time virtlogd did not exist and the code was used only by libvirtd):

    commit 979e9c56a7aadf2dcfbddd1abfbad594b78b4468
    Author:     Daniel P. Berrangé <berrange>
    AuthorDate: Thu Apr 25 17:05:00 2013 +0100
    Commit:     Daniel P. Berrangé <berrange>
    CommitDate: Wed May 8 10:47:45 2013 +0100

        Include process start time when doing polkit checks
        
        Since PIDs can be reused, polkit prefers to be given
        a (PID,start time) pair. If given a PID on its own,
        it will attempt to lookup the start time in /proc/pid/stat,
        though this is subject to races.
        
        It is safer if the client app resolves the PID start
        time itself, because as long as the app has the client
        socket open, the client PID won't be reused.
        
        Signed-off-by: Daniel P. Berrange <berrange>
Comment 9 Lili Zhu 2020-03-20 00:47:16 UTC 
The bug appeared by testing with:

libvirt-4.3.0-1.el7.x86_64
qemu-kvm-rhev-2.10.0-21.el7_5.3.x86_64

refer to the duplicate bug: Bug #1582414
Comment 13 Zdenek Pytela 2021-07-30 13:11:07 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/818
Comment 14 Zdenek Pytela 2021-08-06 17:10:50 UTC 
Commit to backport:
commit 42d1f02477ddb7d44bb1da61366fb55c657ecd1f (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Fri Jul 30 15:03:18 2021 +0200

    Allow virtlogd_t read process state of user domains
Comment 24 errata-xmlrpc 2021-11-09 19:42:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Note You need to log in before you can comment on or make changes to this bug.