Bug List: (1 of 1)
Bug 1969861 - libvirt - Unable to open system token /run/libvirt/common/system.token
Summary: libvirt - Unable to open system token /run/libvirt/common/system.token
Keywords:
Status: CLOSED DUPLICATE of bug 1966842
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: CentOS Stream
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: beta
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-09 11:05 UTC by lejeczek
Modified: 2021-06-22 14:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-17 19:59:37 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1964317 1 high CLOSED SELinux is preventing virtlogd from 'read, append' accesses on the file system.token 2022-01-17 08:02:51 UTC

Description lejeczek 2021-06-09 11:05:19 UTC 
Description of problem:

-> $ ausearch -ts 11:55 | egrep '(virt|qem|kvm)' | audit2why 
type=AVC msg=audit(1623236179.473:293): avc:  denied  { getattr } for  pid=4052 comm="virtlogd" name="/" dev="proc" ino=1 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1623236179.475:294): avc:  denied  { read append } for  pid=4052 comm="virtlogd" name="system.token" dev="tmpfs" ino=44485 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1623236298.688:548): avc:  denied  { getattr } for  pid=6331 comm="virtlogd" name="/" dev="proc" ino=1 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1623236311.860:607): avc:  denied  { read append } for  pid=6331 comm="virtlogd" name="system.token" dev="tmpfs" ino=44485 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Maybe more(silent denials?)

Version-Release number of selected component (if applicable):

libvirt-daemon-7.4.0-1.el8s.x86_64
selinux-policy-targeted-3.14.3-68.el8.noarch
selinux-policy-3.14.3-68.el8.noarch
4.18.0-305.3.1.el8.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Zdenek Pytela 2021-06-09 15:23:55 UTC 
For current state of the system.token problem resolution, refer to 
https://bugzilla.redhat.com/show_bug.cgi?id=1964317
Comment 2 lejeczek 2021-06-10 13:10:27 UTC 
Thanks for the info. This really is critical as it does consequently affects/brakes oVirt.
many thanks, L.
Comment 3 Zdenek Pytela 2021-06-17 19:59:37 UTC 

*** This bug has been marked as a duplicate of bug 1966842 ***
Note You need to log in before you can comment on or make changes to this bug.
Bug List: (1 of 1)