Bug 2456505 - SELinux is preventing rpc-virtnetwork from execute access on the file /etc/libvirt/hooks/network.d/00-nat.sh.
Summary: SELinux is preventing rpc-virtnetwork from execute access on the file /etc/li...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 43
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-08 12:05 UTC by a.savchuk
Modified: 2026-04-08 12:05 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description a.savchuk 2026-04-08 12:05:16 UTC 
Description of problem:

SELinux is preventing rpc-virtnetwork from execute access on the file /etc/libvirt/hooks/network.d/00-nat.sh.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow virt to hooks unconfined
Then you must tell SELinux about this by enabling the 'virt_hooks_unconfined' boolean.

Do
setsebool -P virt_hooks_unconfined 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that rpc-virtnetwork should be allowed execute access on the 00-nat.sh file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpc-virtnetwork' --raw | audit2allow -M my-rpcvirtnetwork
# semodule -X 300 -i my-rpcvirtnetwork.pp


Additional Information:
Source Context                system_u:system_r:virtnetworkd_t:s0
Target Context                system_u:object_r:virt_hook_t:s0
Target Objects                /etc/libvirt/hooks/network.d/00-nat.sh [ file ]
Source                        rpc-virtnetwork
Source Path                   rpc-virtnetwork
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-43.4-2.fc43.noarch
Local Policy RPM              selinux-policy-targeted-43.4-2.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.19.10-200.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Mar 25 16:09:19 UTC 2026
                              x86_64
Alert Count                   6
First Seen                    2026-04-08 13:43:02 +04
Last Seen                     2026-04-08 15:48:04 +04
Local ID                      2a2fbec7-0975-4dff-9028-c79c86eefc8c

Raw Audit Messages
type=AVC msg=audit(1775648884.444:234): avc:  denied  { execute } for  pid=6509 comm="rpc-virtnetwork" name="00-nat.sh" dev="dm-1" ino=67530775 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_hook_t:s0 tclass=file permissive=0


Hash: rpc-virtnetwork,virtnetworkd_t,virt_hook_t,file,execute


Version-Release number of selected component (if applicable):

selinux-policy-43.4-2.fc43.noarch
selinux-policy-targeted-43.4-2.fc43.noarch

libvirt-11.6.0-3.fc43.x86_64

How reproducible: always

Steps to Reproduce:
1. Add some hook to /etc/libvirt/hooks/network.d/
2. Start the affected libvirt network
3. Enjoy

Actual results: libvirt network cannot start due to selinux policy

Expected results: libvirt network is started successfully

Additional info:

# ls -laZ /etc/libvirt/hooks/network.d/
total 4
drwx------. 2 root root system_u:object_r:virt_hook_t:s0  23 Mar 27 23:37 .
drwx------. 3 root root system_u:object_r:virt_hook_t:s0  23 Mar 27 23:34 ..
-rwx------. 1 root root system_u:object_r:virt_hook_t:s0 486 Mar 27 23:37 00-nat.sh
Note You need to log in before you can comment on or make changes to this bug.