Bug 2156155 - F36->F37 update messed with libvirt_leasesh and virtlogd
Summary: F36->F37 update messed with libvirt_leasesh and virtlogd
Keywords:
Status: CLOSED DUPLICATE of bug 2122918
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 37
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-12-24 15:32 UTC by Germano Massullo (Thetra)
Modified: 2023-01-03 10:03 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-01-03 10:03:27 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Germano Massullo (Thetra) 2022-12-24 15:32:20 UTC 
Description of problem:
After an update from F36 to F37, SELinux is throwing many alerts about  libvirt_leasesh and virtlogd.
Relabeling the filesystem did not fix the problem



Informazioni addizionali:
Contesto della sorgente       system_u:system_r:virtlogd_t:s0-s0:c0.c1023
Contesto target               system_u:system_r:virtlogd_t:s0-s0:c0.c1023
Oggetti target                Sconosciuto [ process ]
Sorgente                      virtlogd
Percorso della sorgente       virtlogd
Porta                         <Sconosciuto>
Host                          machine
Sorgente Pacchetti RPM        
Pacchetti RPM target          
SELinux Policy RPM            selinux-policy-targeted-37.16-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.16-1.fc37.noarch
Selinux abilitato             True
Tipo di politica              targeted
Modalità Enforcing            Enforcing
Host Name                     machine
Piattaforma                   Linux machine 6.0.14-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Dec 19 17:44:54 UTC 2022
                              x86_64 x86_64
Conteggio avvisi              2
Primo visto                   2022-12-22 17:29:36 CET
Ultimo visto                  2022-12-24 13:31:26 CET


Messaggi Raw Audit
type=AVC msg=audit(1671885086.458:444): avc:  denied  { execmem } for  pid=8072 comm="virtlogd" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: virtlogd,virtlogd_t,virtlogd_t,process,execmem


Informazioni addizionali:
Contesto della sorgente       system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Contesto target               system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Oggetti target                Sconosciuto [ process ]
Sorgente                      libvirt_leasesh
Percorso della sorgente       libvirt_leasesh
Porta                         <Sconosciuto>
Host                          machine
Sorgente Pacchetti RPM        
Pacchetti RPM target          
SELinux Policy RPM            selinux-policy-targeted-37.16-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.16-1.fc37.noarch
Selinux abilitato             True
Tipo di politica              targeted
Modalità Enforcing            Enforcing
Host Name                     machine
Piattaforma                   Linux machine 6.0.14-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Dec 19 17:44:54 UTC 2022
                              x86_64 x86_64
Conteggio avvisi              340
Primo visto                   2022-12-20 16:19:00 CET
Ultimo visto                  2022-12-24 16:19:40 CET

Messaggi Raw Audit
type=AVC msg=audit(1671895180.439:649): avc:  denied  { execmem } for  pid=21995 comm="libvirt_leasesh" scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: libvirt_leasesh,dnsmasq_t,dnsmasq_t,process,execmem
Comment 1 kinghat 2022-12-27 18:02:03 UTC 
on f36 i never received any selinux alerts but after an upgrade to f37 i get them all the time and this is one of them that shows up in the list of many(mostly snap related):

SELinux is preventing libvirt_leasesh from using the execmem access on a process.

*****  Plugin allow_execmem (91.4 confidence) suggests   *********************

If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised.
Do
contact your security administrator and report this issue

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that libvirt_leasesh should be allowed execmem access on processes labeled dnsmasq_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'libvirt_leasesh' --raw | audit2allow -M my-libvirtleasesh
# semodule -X 300 -i my-libvirtleasesh.pp

Additional Information:
Source Context                system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Context                system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        libvirt_leasesh
Source Path                   libvirt_leasesh
Port                          <Unknown>
Host                          kinghat-thinkpad
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.16-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.16-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     kinghat-thinkpad
Platform                      Linux kinghat-thinkpad 6.0.15-300.fc37.x86_64 #1
                              SMP PREEMPT_DYNAMIC Wed Dec 21 18:33:23 UTC 2022
                              x86_64 x86_64
Alert Count                   8
First Seen                    2022-12-13 11:56:47 CST
Last Seen                     2022-12-26 11:42:26 CST
Local ID                      541a0840-21f2-4db9-a9a1-dfa54addbfb4

Raw Audit Messages
type=AVC msg=audit(1672076546.115:725): avc:  denied  { execmem } for  pid=28915 comm="libvirt_leasesh" scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: libvirt_leasesh,dnsmasq_t,dnsmasq_t,process,execmem
Comment 2 Zdenek Pytela 2023-01-03 10:03:27 UTC 
Please update to selinux-policy-37.17-1.fc37.

*** This bug has been marked as a duplicate of bug 2122918 ***
Note You need to log in before you can comment on or make changes to this bug.