Hello, After the upgrade from Fedora 39 to Fedora 40, I'm getting SELinux denials when trying to start the default libvirtd network. When I looked into it, the errors were: Error starting network 'default': Hook script execution failed: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin USER=root /etc/libvirt/hooks/network default start begin -) unexpected exit status 126: libvirt: error : cannot execute binary /etc/libvirt/hooks/network: Permission denied Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 72, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 108, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn ret = fn(self, *args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/share/virt-manager/virtManager/object/network.py", line 69, in start self._backend.create() File "/usr/lib64/python3.12/site-packages/libvirt.py", line 3553, in create raise libvirtError('virNetworkCreate() failed') libvirt.libvirtError: Hook script execution failed: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin USER=root /etc/libvirt/hooks/network default start begin -) unexpected exit status 126: libvirt: error : cannot execute binary /etc/libvirt/hooks/network: Permission denied The default network comes online when it's in Permissive mode. I'm filing this against libvirt but it might require an selinux policy update instead, I'm not sure. I collected the audit logs for when I enable and disable the default network: time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.628:2316): avc: denied { execute } for pid=76278 comm="rpc-virtnetwork" name="network" dev="dm-0" ino=249174 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.628:2317): avc: denied { execute_no_trans } for pid=76278 comm="rpc-virtnetwork" path="/etc/libvirt/hooks/network" dev="dm-0" ino=249174 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.629:2318): avc: denied { execute } for pid=76278 comm="rpc-virtnetwork" name="bash" dev="dm-0" ino=42419819 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.630:2319): avc: denied { map } for pid=76278 comm="network" path="/usr/bin/bash" dev="dm-0" ino=42419819 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.813:2339): avc: denied { execute } for pid=76313 comm="rpc-virtnetwork" name="network" dev="dm-0" ino=249174 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.813:2340): avc: denied { execute_no_trans } for pid=76313 comm="rpc-virtnetwork" path="/etc/libvirt/hooks/network" dev="dm-0" ino=249174 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.813:2341): avc: denied { execute } for pid=76313 comm="rpc-virtnetwork" name="bash" dev="dm-0" ino=42419819 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.814:2342): avc: denied { map } for pid=76313 comm="network" path="/usr/bin/bash" dev="dm-0" ino=42419819 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.816:2343): avc: denied { execute } for pid=76313 comm="network" name="resolvectl" dev="dm-0" ino=42505695 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.817:2344): avc: denied { execute_no_trans } for pid=76314 comm="network" path="/usr/bin/resolvectl" dev="dm-0" ino=42505695 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:35 2024 type=AVC msg=audit(1713972755.817:2345): avc: denied { map } for pid=76314 comm="resolvectl" path="/usr/bin/resolvectl" dev="dm-0" ino=42505695 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:37 2024 type=AVC msg=audit(1713972757.829:2366): avc: denied { execute } for pid=76371 comm="rpc-virtnetwork" name="network" dev="dm-0" ino=249174 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:37 2024 type=AVC msg=audit(1713972757.829:2367): avc: denied { execute_no_trans } for pid=76371 comm="rpc-virtnetwork" path="/etc/libvirt/hooks/network" dev="dm-0" ino=249174 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:37 2024 type=AVC msg=audit(1713972757.829:2368): avc: denied { execute } for pid=76371 comm="rpc-virtnetwork" name="bash" dev="dm-0" ino=42419819 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 ---- time->Wed Apr 24 11:32:37 2024 type=AVC msg=audit(1713972757.830:2369): avc: denied { map } for pid=76371 comm="network" path="/usr/bin/bash" dev="dm-0" ino=42419819 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 Converting those failures to a selinux policy module, it looks like: # ausearch -m avc -ts recent | audit2allow -m libvirt_network module libvirt_network 1.0; require { type virtnetworkd_t; type virt_etc_rw_t; type bin_t; type shell_exec_t; class file { execute execute_no_trans map }; } #============= virtnetworkd_t ============== allow virtnetworkd_t bin_t:file { execute execute_no_trans }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow virtnetworkd_t bin_t:file map; allow virtnetworkd_t shell_exec_t:file execute; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow virtnetworkd_t shell_exec_t:file map; allow virtnetworkd_t virt_etc_rw_t:file { execute execute_no_trans }; Reproducible: Always Steps to Reproduce: 1. Install libvirt-daemon, libvirt-client on Fedora 40 2. Create /etc/libvirt/hooks/ directory, put a shell script in that directory (it can just run /bin/true, the error is running it) 3. Try to bring up the default network: "virsh net-start default" Actual Results: # virsh net-start default error: Failed to start network default error: Hook script execution failed: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin USER=root /etc/libvirt/hooks/network default start begin -) unexpected exit status 126: libvirt: error : cannot execute binary /etc/libvirt/hooks/network: Permission denied Expected Results: # virsh net-start default Network default started $ rpm -q libvirt-daemon libvirt-daemon-10.1.0-1.fc40.x86_64 $ rpm -q selinux-policy-targeted selinux-policy-targeted-40.16-1.fc40.noarch $ matchpathcon /etc/libvirt/hooks/network /etc/libvirt/hooks/network system_u:object_r:virt_etc_rw_t:s0 I've performed a 'restorecon -rv /etc', which didn't solve anything.
I forgot to mention, /etc/libvirt/hooks/network isn't part of the package, but it is a supported configuration described in https://www.libvirt.org/hooks.html
Is this is something that can be resolved by libvirt maintainers, or do we need to have this moved to the selinux-policy package maintainers?
Re-assigning since selinux-policy has had major changes in this release, so likely a regression there. Nothing on the libvirt side changed how we invoke hooks
I have the same issue on Fedora 40: # virsh net-start internal error: Failed to start network internal error: Hook script execution failed: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin USER=root /etc/libvirt/hooks/network.d/00-nat.sh internal start begin -) unexpected exit status 126: libvirt: error : cannot execute binary /etc/libvirt/hooks/network.d/00-nat.sh: Permission denied # ls -lZ /etc/libvirt/hooks/network.d/00-nat.sh -rwx------. 1 root root system_u:object_r:virt_etc_rw_t:s0 490 Apr 24 2023 /etc/libvirt/hooks/network.d/00-nat.sh # sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing daemon-init from execute access on the file /etc/libvirt/hooks/network.d/00-nat.sh. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that daemon-init should be allowed execute access on the 00-nat.sh file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'daemon-init' --raw | audit2allow -M my-daemoninit # semodule -X 300 -i my-daemoninit.pp Additional Information: Source Context system_u:system_r:virtnetworkd_t:s0 Target Context system_u:object_r:virt_etc_rw_t:s0 Target Objects /etc/libvirt/hooks/network.d/00-nat.sh [ file ] Source daemon-init Source Path daemon-init Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.20-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.20-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 6.8.9-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 2 18:59:06 UTC 2024 x86_64 Alert Count 6 First Seen 2024-05-23 02:04:42 +04 Last Seen 2024-05-23 03:17:38 +04 Local ID b3eaa6ff-0f72-4033-8cfe-6a75e0b8290b Raw Audit Messages type=AVC msg=audit(1716419858.517:600): avc: denied { execute } for pid=44939 comm="rpc-virtnetwork" name="00-nat.sh" dev="dm-1" ino=67775802 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=file permissive=0 Hash: daemon-init,virtnetworkd_t,virt_etc_rw_t,file,execute # virsh version Compiled against library: libvirt 10.1.0 Using library: libvirt 10.1.0 Using API: QEMU 10.1.0 Running hypervisor: QEMU 8.2.2
*** Bug 2279956 has been marked as a duplicate of this bug. ***
Unfortunately, I was unable to reproduce the original issue, I guess something more than in this bz and in https://issues.redhat.com/browse/RHEL-41168 is needed to set up. However, I created a policy draft [1]. Can you test the coprbuild [2] in rawhide if this is sufficient? Note relabeling is needed and the virt_hooks_unconfined boolean needs to be turned on: restorecon -Rv /etc/libvirt/hooks setsebool virt_hooks_unconfined on [1] https://github.com/fedora-selinux/selinux-policy/pull/2195 [2] https://dashboard.packit.dev/results/copr-builds/1679959
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc
FEDORA-2024-f30b2bffdc has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f30b2bffdc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.