Bug 2239472 - spice-vdagentd not starting due to selinux errors
Summary: spice-vdagentd not starting due to selinux errors
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: spice-vdagent
Version: 38
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Christophe Fergeau
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-09-18 14:30 UTC by Prarit Bhargava
Modified: 2024-05-31 08:32 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-05-31 08:32:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Prarit Bhargava 2023-09-18 14:30:38 UTC 
Hey everyone,

This has been a long-lived bug and I cannot seem to find an answer online, or in any documentation.

This is the situation: My current workstation is at F38 (and is/was up-to-date as of Sep 15 before the process described below).  I am running F38 as a host OS, and have a F38 guest.  The problem described below is with the _guest_.

I reboot the system once every few weeks to get the latest kernel-related security updates from F38.  When this happens, I see

 [  485.420234] spice-vdagent[3334]: segfault at 81 ip 0000556f5e41c536 sp 00007ffff177ba10 error 4 in spice-vdagent[556f5e413000+e000] likely on CPU 60 (core 0, socket 3)

in the boot log.  

Reproducible: Always

Steps to Reproduce:
1. Boot VM with F38
Actual Results:  
When I check the status of spice-vdagent,

[10:13 AM root@prarit ~]# systemctl status spice-vdagentd
● spice-vdagentd.service - Agent daemon for Spice guests
     Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Fri 2023-09-15 08:31:52 EDT; 3 days ago
TriggeredBy: ● spice-vdagentd.socket
   Main PID: 3407 (spice-vdagentd)
      Tasks: 3 (limit: 180973)
     Memory: 796.0K
        CPU: 5.628s
     CGroup: /system.slice/spice-vdagentd.service
             └─3407 /usr/sbin/spice-vdagentd

Sep 18 10:05:01 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:05:01 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:05:01 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:05:01 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:05:01 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:05:01 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:13:28 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:13:28 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:13:28 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
Sep 18 10:13:28 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting active session: No data available
[10:13 AM root@prarit ~]# 

Furthermore, I see selinux errors related to spcie-vdagent in the boot log:

Sep 15 08:35:00 prarit.bos.redhat.com spice-vdagent[3334]: display: failed to call GetCurrentState from mutter over DBUS
Sep 15 08:35:00 prarit.bos.redhat.com spice-vdagent[3334]:    error message: Cannot invoke method; proxy is for the well-known name org.gnome.Mutter.DisplayConfig without an owner, and proxy was constructed with the G_DBUS_PROXY_FLAGS_DO_NOT_AUTO_START flag
Sep 15 08:35:00 prarit.bos.redhat.com spice-vdagent[3334]: No guest output map, using output index as display id
Sep 15 08:35:00 prarit.bos.redhat.com audit[3407]: AVC avc:  denied  { search } for  pid=3407 comm="spice-vdagentd" name="3334" dev="proc" ino=40010 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0
Sep 15 08:35:00 prarit.bos.redhat.com audit[3407]: AVC avc:  denied  { search } for  pid=3407 comm="spice-vdagentd" name="3334" dev="proc" ino=40010 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0
Sep 15 08:35:00 prarit.bos.redhat.com audit[3407]: AVC avc:  denied  { search } for  pid=3407 comm="spice-vdagentd" name="3334" dev="proc" ino=40010 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0
Sep 15 08:35:00 prarit.bos.redhat.com spice-vdagentd[3407]: Error getting owner UID for pid 3334: Permission denied
Sep 15 08:35:00 prarit.bos.redhat.com spice-vdagentd[3407]: UID mismatch: UID=1000 PID=3334 suid=4294967295
Sep 15 08:35:00 prarit.bos.redhat.com setroubleshoot[4750]: SELinux is preventing spice-vdagentd from search access on the directory 3334. For complete SELinux messages run: sealert -l 4264c074-64c3-4f04-af07-87486f0d34ed
Sep 15 08:35:00 prarit.bos.redhat.com setroubleshoot[4750]: SELinux is preventing spice-vdagentd from search access on the directory 3334.
                                                            
                                                            *****  Plugin catchall (100. confidence) suggests   **************************
                                                            
                                                            If you believe that spice-vdagentd should be allowed search access on the 3334 directory by default.
                                                            Then you should report this as a bug.
                                                            You can generate a local policy module to allow this access.
                                                            Do
                                                            allow this access for now by executing:
                                                            # ausearch -c 'spice-vdagentd' --raw | audit2allow -M my-spicevdagentd
                                                            # semodule -X 300 -i my-spicevdagentd.pp
                                                            
Sep 15 08:35:00 prarit.bos.redhat.com spice-vdagent[3334]: display: failed to call GetCurrentState from mutter over DBUS

The suggestion in the error log does work, however, it seems to only affect the current boot and not subsequent reboots.

As a result of this error I cannot connect spice console AFAICT, and the boot takes a longer time.



Expected Results:  
spice-vdagent should start without errors

This is 100% reproducible on F38.
Comment 1 Aoife Moloney 2024-05-31 08:32:10 UTC 
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.