Description of problem: Sorry, this is probably not the best bug report, but while running couple of virtual guests (in Permissive mode), I have collected a lot of AVC denials. This is what audit2allow things about the attached audit.log file: [matej@hubmaier ~]$ egrep 'denied.*(virt|kvm)' audit.log |audit2allow #============= nsplugin_t ============== allow nsplugin_t virt_etc_rw_t:file read; #============= staff_t ============== allow staff_t logrotate_var_lib_t:file { read open }; allow staff_t virt_etc_rw_t:file { read open }; allow staff_t virt_image_t:file { read open }; #============= virtd_t ============== allow virtd_t admin_home_t:dir { write remove_name add_name setattr }; allow virtd_t admin_home_t:file { read write open lock }; allow virtd_t admin_home_t:lnk_file { read rename create unlink }; allow virtd_t nsplugin_t:process signull; allow virtd_t pulseaudio_port_t:tcp_socket name_connect; allow virtd_t pulseaudio_t:process signull; allow virtd_t self:unix_dgram_socket sendto; allow virtd_t staff_t:process signull; allow virtd_t tmp_t:dir { write create add_name }; allow virtd_t tmpfs_t:dir { read write open add_name remove_name }; allow virtd_t tmpfs_t:file { write getattr read create unlink open }; allow virtd_t tmpfs_t:filesystem getattr; allow virtd_t user_home_t:dir { write add_name }; allow virtd_t user_home_t:file { write read create }; allow virtd_t user_tmpfs_t:file { read getattr unlink open }; [matej@hubmaier ~]$ Version-Release number of selected component (if applicable): (approximately, they were collected for some time) libvirt-0.6.2-6.fc11.x86_64 selinux-policy-targeted-3.6.12-28.fc11.noarch
Created attachment 343485 [details] /var/log/audit/audit.log
Please update to the correct policy -34. Also why is qemu not being run in a separate context? qemu_t should not be running under virtd_t, that is the context of the virt daemon. Did you tell libvirt to not use SELinux? Are the files in /usr/bin/qemu* labeled correctly?
(In reply to comment #2) > Please update to the correct policy -34. > > Also why is qemu not being run in a separate context? qemu_t should not be > running under virtd_t, that is the context of the virt daemon. > Are the files in /usr/bin/qemu* labeled correctly? COuple of observations from around my system: [root@viklef ~]# ls -Z /usr/bin/qemu* -rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu -rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-img -rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-kvm -rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-nbd -rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-system-x86_64 This is OK, right? [root@viklef ~]# rpm -q selinux-policy-targeted package selinux-policy-targeted is not installed [root@viklef ~]# I have no clue, how I managed to do that (I am quite sure, that I have never removed it intentionally). Actually [root@viklef ~]# rpm -qa \*selinux\* libselinux-python-2.0.80-1.fc11.x86_64 selinux-policy-3.6.12-28.fc11.noarch libselinux-devel-2.0.80-1.fc11.x86_64 libselinux-2.0.80-1.fc11.i586 libselinux-utils-2.0.80-1.fc11.x86_64 libselinux-2.0.80-1.fc11.x86_64 It seems like something is missing. And yet: [root@viklef ~]# package-cleanup --problems Setting up yum Loaded plugins: dellsysidplugin2, fastestmirror, presto, remove-with-leaves Loading mirror speeds from cached hostfile Excluding Packages in global exclude list Finished Excluding Packages in global exclude list Finished Reading local RPM database Processing all local requires No problems found Strange. Moreover, I have got again a duplicate policy.* file: [root@viklef ~]# ls /etc/selinux/targeted/policy/ policy.23 policy.24 Will install missing selinux-policy-targeted package and let you know. Also: > Did you tell libvirt to not use SELinux? Well, I hope I have only whatever was default with Rawhide: [root@viklef libvirt]# grep -v ^# /etc/libvirt/qemu.conf |grep -v '^\s*$' security_driver = "none" [root@viklef libvirt]#
Concernig the release of my policy ... -28 is the latest I get from Rawhide yum upgrades. Isn't there something wrong with releng?
34 was just released so it should be in rawhide shortly. /etc/libvirt/qemu.conf should have security_driver="selinux" I have no idea what happened to selinux-policy-targeted, unless some rawhide update got screwed up. You can grab -34 from koji.
OK, so let's call this bug PEBKAC and I will file a specific bugs for whatever comes.