2291304 – Selinux prevents libvirt virtproxy to send dbus messages

Bug 2291304 - Selinux prevents libvirt virtproxy to send dbus messages

Summary: Selinux prevents libvirt virtproxy to send dbus messages

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-06-11 12:24 UTC by Olivier Samyn
Modified:	2024-06-25 02:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-40.23-1.fc40
Clone Of:
Environment:
Last Closed:	2024-06-25 02:26:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2176	0	None	open	Allow virt_driver_domain dbus chat with policykit	2024-06-17 15:32:21 UTC

Description Olivier Samyn 2024-06-11 12:24:47 UTC

Description of problem:
I'm using tofu (terraform) libvirt plugin to locally test deployments.
After upgrade to Fedora 40, I got the following AVC error:

type=AVC msg=audit(1718108318.143:806): avc:  denied  { write } for  pid=33218 comm="rpc-virtproxyd" name="io.systemd.Machine" dev="tmpfs" ino=1865 scontext=system_u:system_r:virtproxyd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0

I solved the issue with the following selinux moodule (generated with audit2allow):

module libvirt 1.0;

require {
        type policykit_t;
        type virtproxyd_t;
        class dbus send_msg;
}

#============= virtproxyd_t ==============
allow virtproxyd_t policykit_t:dbus send_msg;



Version-Release number of selected component (if applicable):

selinux-policy-40.20-1.fc40.noarch
selinux-policy-targeted-40.20-1.fc40.noarch
libvirt-daemon-10.1.0-1.fc40.x86_64

Comment 1 Olivier Samyn 2024-06-11 12:26:41 UTC

Sorry for this, I did not copied the correct AVC line, here is the relevant one: 

type=USER_AVC msg=audit(1718107457.880:794): pid=1365 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:virtproxyd_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'

Comment 2 Zdenek Pytela 2024-06-13 19:42:01 UTC

Olivier,

The first denial is also affecting some service?

Comment 3 Olivier Samyn 2024-06-13 20:45:23 UTC

I did not act specifically on the first denial, only on the second one with the proposed selinux module.
And at this does not seem to affect my current use, at least I did not detected strange behaviour.

Comment 4 Fedora Update System 2024-06-20 18:34:14 UTC

FEDORA-2024-2bc43119f3 (selinux-policy-40.23-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bc43119f3

Comment 5 Fedora Update System 2024-06-21 02:39:34 UTC

FEDORA-2024-2bc43119f3 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-2bc43119f3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-2bc43119f3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2024-06-25 02:26:50 UTC

FEDORA-2024-2bc43119f3 (selinux-policy-40.23-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.