Description of problem: Opening "Virtual Machines" in cockpit SELinux is preventing pool-libvirt-db from 'connectto' accesses on the unix_stream_socket /run/libvirt/libvirt-sock. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to enable cluster mode for daemons. Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean. Do setsebool -P daemons_enable_cluster_mode 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that pool-libvirt-db should be allowed connectto access on the libvirt-sock unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pool-libvirt-db' --raw | audit2allow -M my-poollibvirtdb # semodule -X 300 -i my-poollibvirtdb.pp Additional Information: Source Context system_u:system_r:virt_dbus_t:s0 Target Context system_u:system_r:virtd_t:s0-s0:c0.c1023 Target Objects /run/libvirt/libvirt-sock [ unix_stream_socket ] Source pool-libvirt-db Source Path pool-libvirt-db Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-41.19-1.fc41.noarch Local Policy RPM selinux-policy-targeted-41.19-1.fc41.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.11.0-63.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Sep 15 17:48:54 UTC 2024 x86_64 Alert Count 1 First Seen 2024-10-04 16:19:41 CEST Last Seen 2024-10-04 16:19:41 CEST Local ID 1ba75b70-4fd6-4ef2-8c06-950eeb54cf09 Raw Audit Messages type=AVC msg=audit(1728051581.252:5228): avc: denied { connectto } for pid=448937 comm="pool-libvirt-db" path="/run/libvirt/libvirt-sock" scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Hash: pool-libvirt-db,virt_dbus_t,virtd_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-targeted-41.19-1.fc41.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing pool-libvirt-db from 'connectto' accesses on the unix_stream_socket /run/libvirt/libvirt-sock. package: selinux-policy-targeted-41.19-1.fc41.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.11.0-63.fc41.x86_64 comment: Opening "Virtual Machines" in cockpit component: selinux-policy
Created attachment 2050396 [details] File: description
Created attachment 2050397 [details] File: os_info
I am also having this issue in Fedora 41 beta. Looks like this might have been fixed at one point, but has regressed: https://bugzilla.redhat.com/show_bug.cgi?id=2297965 My system currently has: selinux-policy-41.20-1.fc41.noarch selinux-policy-targeted-41.20-1.fc41.noarch
I just upgraded from F40 to F41 (KDE Spin), and now I experience this issue with relations to SELinux-confined user accounts, although once provoked, it seems removing the confinement no longer "repairs" the issue (even if the accounts are logged out and re-logged in in between tests while at the same time related services are restarted with systemctl in between tests). By default, I have one account in which I log into my the KDE-GUI (sysadm_u) in order to then open Firefox and then open the webinterface of cockpit in this Firefox. I then use another account (user_u) to log into cockpit within the given Firefox. On F40, this worked properly. After doing some testing with the current issue, the issue felt a little odd, and that's why I started to test exactly which accounts can be confined and which not (one by one), and how the system behaved. I might start elaborating from a system that is in the beginning (and on boot) unconfined (__default__ and root and all user accounts that are somehow involved are unconfined_u on boot): This way, the category "Virtual machines" seems to work within cockpit (so, cockpit-machines works). I then added again the sysadm_u to my GUI-account in which I work, and then restarted with systemctl both libvirtd and cockpit (just to be sure). I logged out and logged in again in my KDE-GUI. Now I repeated the test, and even if my GUI account is sysadm_u, everything worked fine (so far as expected). Then, I changed the account that I use to log into cockpit's webinterface to user_u. Again, I used systemctl to restart cockpit and libvirtd before testing. Now, I had to login again in the webinterface (due to the restart of cockpit), and now the issue occurred: "No VM is running or defined on this host" although `virt-manager` confirms all machines are still there. The only logged denial around the very time is: ``` type=USER_AVC msg=audit(11/14/2024 15:44:04.165:527) : pid=1930 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ``` However, if I change this account back from user_u to unconfined_u and again restart cockpit and libvirtd (so that I have to subsequently login again in the webinterface), it still no longer works during this boot (= "No VM is running or defined on this host"), but now with a different denial log: ``` type=AVC msg=audit(11/14/2024 15:47:13.809:635) : avc: denied { connectto } for pid=5750 comm=pool-libvirt-db path=/run/libvirt/libvirt-sock scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ``` It seems once the issue with user_u is provoked once, something is broken/changed in a way that the behavior remains, even if the log changes (the latter log seems to correspond to what this ticket is about). My QEMU/KVM is configured qemu:///system. The time I can invest at the moment is limited, but feel free to let me know if I shall test something specific or provide some specific logs. For the sake of completeness, please find below the full list of all denials that occurred during the boot (keep in mind that I provoked some of the above issues multiple times). The list is an extract of the output of `ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today` while I extracted the times of the very boot 0 according to the boot time of `journalctl --list-boots`: ``` type=AVC msg=audit(11/14/2024 15:28:14.984:192) : avc: denied { setsched } for pid=1939 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:14.998:193) : avc: denied { setsched } for pid=1939 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:15.016:194) : avc: denied { setsched } for pid=1939 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:15.031:195) : avc: denied { setsched } for pid=1939 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:15.047:196) : avc: denied { setsched } for pid=1939 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:15.063:197) : avc: denied { setsched } for pid=1939 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:15.179:198) : avc: denied { read write } for pid=3113 comm=wireplumber name=media0 dev="devtmpfs" ino=1183 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:15.179:199) : avc: denied { read write } for pid=3113 comm=wireplumber name=media1 dev="devtmpfs" ino=1219 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 15:28:24.500:217) : avc: denied { setsched } for pid=1939 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=USER_AVC msg=audit(11/14/2024 15:30:35.976:468) : pid=1930 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(11/14/2024 15:31:21.936:480) : pid=1930 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(11/14/2024 15:35:11.652:492) : pid=1930 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(11/14/2024 15:43:03.322:514) : pid=1930 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(11/14/2024 15:44:04.165:527) : pid=1930 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=AVC msg=audit(11/14/2024 15:46:15.217:621) : avc: denied { connectto } for pid=5750 comm=pool-libvirt-db path=/run/libvirt/libvirt-sock scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- type=AVC msg=audit(11/14/2024 15:47:13.809:635) : avc: denied { connectto } for pid=5750 comm=pool-libvirt-db path=/run/libvirt/libvirt-sock scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- type=AVC msg=audit(11/14/2024 15:49:33.331:657) : avc: denied { connectto } for pid=5750 comm=pool-libvirt-db path=/run/libvirt/libvirt-sock scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ```
Without making any other changes compared to the last test, I just put __default__ back to user_u and set both my GUI account and the account I log into in the cockpit webinterface to sysadm_u, and then rebooted. The following log is the whole log from the boot with this confinement configuration, in which I just logged in, logged into Cockpit through Firefox, and opened immediately the "Virtual Machines" page: ``` type=AVC msg=audit(11/14/2024 20:08:23.371:140) : avc: denied { search } for pid=2077 comm=hostname name=net dev="proc" ino=9219 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(11/14/2024 20:08:23.371:141) : avc: denied { search } for pid=2077 comm=hostname name=net dev="proc" ino=9219 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:24.835:167) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:25.334:172) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:25.672:174) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:25.672:175) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:25.673:176) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:25.677:177) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:25.767:178) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_dbusd_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:55.554:191) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:08:55.555:192) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:09:25.526:194) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=SELINUX_ERR msg=audit(11/14/2024 20:09:25.526:195) : op=security_sid_mls_copy invalid_context=user_u:user_r:user_t:s0-s0:c0.c1023 ---- type=AVC msg=audit(11/14/2024 20:09:34.943:221) : avc: denied { setsched } for pid=1803 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 20:09:34.960:222) : avc: denied { setsched } for pid=1803 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 20:09:34.973:223) : avc: denied { setsched } for pid=1803 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 20:09:34.988:224) : avc: denied { setsched } for pid=1803 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 20:09:35.004:225) : avc: denied { setsched } for pid=1803 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 20:09:35.016:226) : avc: denied { setsched } for pid=1803 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=AVC msg=audit(11/14/2024 20:09:35.236:227) : avc: denied { read write } for pid=2777 comm=wireplumber name=media0 dev="devtmpfs" ino=1009 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 20:09:35.236:228) : avc: denied { read write } for pid=2777 comm=wireplumber name=media1 dev="devtmpfs" ino=1012 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 20:10:36.842:329) : avc: denied { setsched } for pid=1803 comm=rtkit-daemon scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=process permissive=0 ---- type=USER_AVC msg=audit(11/14/2024 20:11:37.123:376) : pid=1794 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=AVC msg=audit(11/14/2024 20:11:37.184:377) : avc: denied { read } for pid=5440 comm=daemon-init name=kvm dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:39.023:378) : avc: denied { read } for pid=5440 comm=rpc-virtqemud name=kvm dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:39.441:379) : avc: denied { create } for pid=5587 comm=qemu-system-i38 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:39.446:380) : avc: denied { create } for pid=5642 comm=qemu-system-i38 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:39.452:381) : avc: denied { read write } for pid=5642 comm=qemu-system-i38 name=kvm dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:39.453:382) : avc: denied { create } for pid=5642 comm=qemu-system-i38 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:40.899:384) : avc: denied { read } for pid=5440 comm=rpc-virtqemud name=kvm dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:41.194:386) : avc: denied { create } for pid=5716 comm=qemu-system-x86 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:41.198:387) : avc: denied { create } for pid=5726 comm=qemu-system-x86 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:41.208:388) : avc: denied { read write } for pid=5726 comm=qemu-system-x86 name=kvm dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:41.209:389) : avc: denied { create } for pid=5726 comm=qemu-system-x86 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/14/2024 20:11:41.905:390) : avc: denied { read } for pid=5440 comm=rpc-virtqemud name=kvm dev="devtmpfs" ino=1003 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ``` The behavior is the same: "No VM is running or defined on this host" -> but the denials differ again. The click on "login" in cockpit, which subsequently opened directly the VM page, was around ~20:11:40 +/-1 second.
Thanks for taking care so quickly Zdenek. I updated to selinux-policy-41.25-1.fc41 today (not sure if the changelog implies that this update already aims to fix BZ#2316474 ?), rebooted, and did some testing around different confinements. At the moment, the confinement of __default__ and the user account I use to log into KDE and open Firefox seem not relevant (as expected). I think before the update, this was different, but I am no longer 100% sure tbh (I think __default__ confinement could in one test configuration break the virtual machine list even if the other accounts were unconfined, which made me wonder and play these games of different confinements above - anyway, I can no longer reproduce this at least after the update). However, now, once I add any confinement to the account that I use to log into cockpit webinterface (even sysadm_u), the virtual machine list breaks, and it remains broken until the next reboot, as in the yesterday test: even when I then unconfine it again and restart libvirtd & cockpit (which also forces to relogin the very account), it remains broken. I need to reboot after unconfining it. This is always reproducible. Comparable to yesterday, ... ... everything works if there is no confinement on the cockpit webinterface account, and once I confine it and restart services, logging into cockpit (I log directly in the virtual machines page that shall contain the VM list) leads to the virtual machine list being broken with this denial: ``` type=USER_AVC msg=audit(11/15/2024 18:40:45.829:987) : pid=2545 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- type=AVC msg=audit(11/15/2024 18:40:45.913:988) : avc: denied { read } for pid=33301 comm=daemon-init name=kvm dev="devtmpfs" ino=1007 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:46.409:989) : avc: denied { read } for pid=33301 comm=rpc-virtqemud name=kvm dev="devtmpfs" ino=1007 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:46.458:990) : avc: denied { create } for pid=33470 comm=qemu-system-i38 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:46.462:991) : avc: denied { create } for pid=33474 comm=qemu-system-i38 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:46.467:992) : avc: denied { read write } for pid=33474 comm=qemu-system-i38 name=kvm dev="devtmpfs" ino=1007 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:46.468:993) : avc: denied { create } for pid=33474 comm=qemu-system-i38 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:47.274:994) : avc: denied { read } for pid=33301 comm=rpc-virtqemud name=kvm dev="devtmpfs" ino=1007 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:47.295:995) : avc: denied { create } for pid=33539 comm=qemu-system-x86 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:47.298:996) : avc: denied { create } for pid=33544 comm=qemu-system-x86 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:47.302:997) : avc: denied { read write } for pid=33544 comm=qemu-system-x86 name=kvm dev="devtmpfs" ino=1007 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:47.303:998) : avc: denied { create } for pid=33544 comm=qemu-system-x86 anonclass=[io_uring] scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0 ---- type=AVC msg=audit(11/15/2024 18:40:47.729:1000) : avc: denied { read } for pid=33301 comm=rpc-virtqemud name=kvm dev="devtmpfs" ino=1007 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ``` ... and subsequently, when I unconfine the account again and then restart all services (and subsequently re-login into cockpit directly to the VM page), the virtual machine list remains broken, but with this denial: ``` type=AVC msg=audit(11/15/2024 18:41:43.255:1095) : avc: denied { connectto } for pid=5599 comm=pool-libvirt-db path=/run/libvirt/libvirt-sock scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ``` After rebooting, it works fine again as long as it does not get confined during the boot. Just some confirmation, in case that is useful. As mentioned, the denials are now already with selinux-policy-41.25-1.fc41. Feel free to let me know when the github commit reaches bodhi, then I can test it and see if it changes the behavior.
FEDORA-2024-ee068c46d3 (selinux-policy-41.26-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-ee068c46d3
FEDORA-2024-ee068c46d3 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-ee068c46d3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-ee068c46d3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
I have updated to selinux-policy-41.26-1.fc41, rebooted, and verified my last test: I expect the issue of this ticket is solved, but mine remains. When I set the user account which I use to log into cockpit within Firefox to "user_u", the problem I have since upgrading to F41 remains. However, when I set that user account back to unconfined_u, I no longer need to reboot: above, the issue remained until the next reboot while the denial changed to the "comm=pool-libvirt-db path=/run/libvirt/libvirt-sock" denial. The "comm=pool-libvirt-db path=/run/libvirt/libvirt-sock" denial has disappeared, and thus, it is now no longer necessary to reboot after resetting that user account to unconfined_u after an user_u attempt. Here is the remaining related denial: ``` type=USER_AVC msg=audit(11/21/2024 12:42:16.171:450) : pid=1754 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ``` This is the denial that takes place after I attempted to login and access the virtual machine list (as before, the list remains broken with "No VM is running or defined on this host") on a boot that had the account for cockpit login in user_u. Once I changed it back to unconfined_u, no further denial appeared and I could login to cockpit and could see the virtual machine list again -> no "comm=pool-libvirt-db path=/run/libvirt/libvirt-sock" denial that forced me to reboot :) So, this ticket seems to be solved as far as I can reproduce it, but I need to open a new one about the "uid=dbus auid=unset" issue that remains.
FEDORA-2024-ee068c46d3 (selinux-policy-41.26-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2326834 has been marked as a duplicate of this bug. ***