Description of problem: Souhrn: SELinux is preventing libvirtd (virtd_t) "sigkill" to <Neznámé> (dnsmasq_t). Podrobný popis: SELinux denied access requested by libvirtd. It is not expected that this access is required by libvirtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:virtd_t Kontext cíle system_u:system_r:dnsmasq_t Objekty cíle None [ process ] Zdroj libvirtd Cesta zdroje /usr/sbin/libvirtd Port <Neznámé> Počítač hubmaier.ceplovi.cz RPM balíčky zdroje libvirt-0.4.1-2.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-10.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače hubmaier.ceplovi.cz Platforma Linux hubmaier.ceplovi.cz 2.6.25-0.90.rc3.git5.fc9 #1 SMP Tue Mar 4 20:19:33 EST 2008 x86_64 x86_64 Počet uporoznění 2 Poprvé viděno Út 4. březen 2008, 14:41:23 CET Naposledy viděno St 5. březen 2008, 09:58:41 CET Místní ID 406e1f6e-0312-4426-9d18-5c361bd9b1df Čísla řádků Původní zprávy auditu host=hubmaier.ceplovi.cz type=AVC msg=audit(1204707521.220:14): avc: denied { sigkill } for pid=2793 comm="libvirtd" scontext=system_u:system_r:virtd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1204707521.220:14): arch=c000003e syscall=62 success=no exit=-13 a0=ae8 a1=9 a2=a a3=0 items=0 ppid=2741 pid=2793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0 key=(null) ("Neznámé" is "Unknown" in Czech). Version-Release number of selected component (if applicable): dnsmasq-2.41-0.8.fc9.x86_64 libvirt-0.4.1-2.fc9.x86_64 selinux-policy-targeted-3.3.1-11.fc9.noarch
How did you get this error, i.e. how to reproduce the problem ? Any idea ? Daniel
Dan, can you add ability for libvirtd to send KILL/TERM to dnsmasq to the SELinux policy, because we spawn / kill dnsmasq processes from libvirtd to provide DHCP/DNS services.
(In reply to comment #1) > How did you get this error, i.e. how to reproduce the problem ? Any idea ? Hi, Daniel, nothing special, just restarted my computer with libvirtd service on, and then filed (as usual) everything in sealert here. Notice, that I haven't even started any virtual machine on the computer.
Fixed in selinux-policy-3.3.1-11.fc9