2271831 – SELinux is preventing rpc-virtqemud from 'getattr' accesses on the filesystem /.

Bug 2271831 - SELinux is preventing rpc-virtqemud from 'getattr' accesses on the filesystem /.

Summary: SELinux is preventing rpc-virtqemud from 'getattr' accesses on the filesystem /.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:3c2145b8e160bb608530a0221b5...
Duplicates (4):	2271079 2275414 2276957 2277197 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-27 13:21 UTC by Kamil Páral
Modified:	2024-05-12 04:17 UTC (History)
CC List:	13 users (show)
Fixed In Version:	selinux-policy-40.18-2.fc40
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-05-12 04:17:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.90 KB, text/plain) 2024-03-27 13:21 UTC, Kamil Páral	no flags	Details
File: os_info (756 bytes, text/plain) 2024-03-27 13:21 UTC, Kamil Páral	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2106	0	None	open	Allow virtnodevd_t map /var/lib files	2024-05-03 14:58:55 UTC

Description Kamil Páral 2024-03-27 13:21:34 UTC

Description of problem:
This started happening after upgrading F39 to F40. Didn't happen on F39. It seems to happen regularly when virt-manager is running.
SELinux is preventing rpc-virtqemud from 'getattr' accesses on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rpc-virtqemud should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
# semodule -X 300 -i my-rpcvirtqemud.pp

Additional Information:
Source Context                system_u:system_r:virtqemud_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        rpc-virtqemud
Source Path                   rpc-virtqemud
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.15-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.15-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.8.1-300.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Mar 20 04:39:30 UTC 2024
                              x86_64
Alert Count                   3
First Seen                    2024-03-27 14:18:08 CET
Last Seen                     2024-03-27 14:20:03 CET
Local ID                      903f43fa-37c0-418e-b5fb-b20a2abd5fa4

Raw Audit Messages
type=AVC msg=audit(1711545603.763:248): avc:  denied  { getattr } for  pid=3395 comm="rpc-virtqemud" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1


Hash: rpc-virtqemud,virtqemud_t,fs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-40.15-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing rpc-virtqemud from 'getattr' accesses on the filesystem /.
package:        selinux-policy-targeted-40.15-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.8.1-300.fc40.x86_64
comment:        This started happening after upgrading F39 to F40. Didn't happen on F39. It seems to happen regularly when virt-manager is running.
component:      selinux-policy

Comment 1 Kamil Páral 2024-03-27 13:21:36 UTC

Created attachment 2023835 [details]
File: description

Comment 2 Kamil Páral 2024-03-27 13:21:38 UTC

Created attachment 2023836 [details]
File: os_info

Comment 3 Zdenek Pytela 2024-04-30 19:26:42 UTC

*** Bug 2277197 has been marked as a duplicate of this bug. ***

Comment 4 Zdenek Pytela 2024-04-30 19:26:50 UTC

*** Bug 2276957 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2024-04-30 19:26:57 UTC

*** Bug 2275414 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2024-04-30 19:27:09 UTC

*** Bug 2271079 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2024-05-07 08:33:22 UTC

FEDORA-2024-759c80369d (selinux-policy-40.18-2.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-759c80369d

Comment 8 Fedora Update System 2024-05-08 02:21:11 UTC

FEDORA-2024-759c80369d has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-759c80369d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-759c80369d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2024-05-12 04:17:41 UTC

FEDORA-2024-759c80369d (selinux-policy-40.18-2.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.