Description of problem: spice-vdagent does not have a selinux policy for (selinux) confined users If you confine your users, spice-vdagent no longer works. Version-Release number of selected component (if applicable): How reproducible: Always (when confining users) Steps to Reproduce: 1. Confine your users with selinux, either as a user_u or staff_u 2. Log in via GDM 3. spice-vdagent no longer functions Actual results: spice-vdagent no longer functions Expected results: spice-vdagent functions with confined (staff_u) users. I assume it will work with user_u, just add in a user_t Additional info: Here is the spice te I generated. module spice 1.0; require { type staff_t; type vdagent_exec_t; type vdagent_t; type vdagent_log_t; type vdagent_var_run_t; class sock_file write; class unix_stream_socket connectto; class dir { search getattr }; class file getattr; } #============= staff_t ============== allow staff_t vdagent_exec_t:file getattr; allow staff_t vdagent_log_t:dir getattr; allow staff_t vdagent_t:unix_stream_socket connectto; allow staff_t vdagent_var_run_t:dir search; allow staff_t vdagent_var_run_t:sock_file write;
-- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Is this in permissive mode? If not, please switch to permissive mode and collect all AVC msgs and attach them.
@Miroslav - Thank you for your time and attention. Yes , that was with permissive mode and included all the AVC mesgs I found. With that spice.te , spice-vdagent is working with selinux in enforcing mode. Note: that module was for staff_u only, I did not test user_u, although I would be willing if you feel it would help. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Ok, I am fixing it.
Fixed in selinux-policy-3.9.16-38.fc15
Thank you. Do you need any testing / te for confining user_u ? -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Sure it should work for user_u, and xguest_u.
I am so sorry, I thought I had this resolved. The problem was I had left selinux in permissive mode. When I put it into enforcing mode, the module I posted here did not work. I did not see any additional AVC denials in the logs, so I looked for silent denials. semodule -DB Still nothing. With selinux in enforcing mode, spice-vdagent fails to start. If I then follow the logs, with tail -F /var/log/audit/audit.log , and manually start spice-vdagent from the command line it fails with no errors on the command line and nothing in the logs. If I put selinux into permissive mode then I can again start the spice-vdagent. I can get it to work if I allow the "kitchen sink", ie all AVC denials in the logs when I log in, but the resulting local.te has a long list of policies / rules that have to do with things such as pulse-audio and what not. I am at a dead end, so I am attaching a "everything.te" Obviously this contains a bunch of policy that does not apply to spice-vdagent , including ecryptfs, and a bunch of desktop policy, such a pulse audio, but if I semodule -i everything.pp then spice-vdagent works when enforcing selinux hope some of these rules can help with enforcing users in general, but any suggestions on spice-vdagent would be appreciated. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Created attachment 518051 [details] everything.te contains every AVC denial I am getting on login with selinux in permissive mode. everything.te contains every AVC denial I am getting on login with selinux in permissive mode.
Could you add raw AVC msgs?
Created attachment 518112 [details] I attached a copy of audit.log The tempfs_denials are for ecryptfs.
update: It is working now selinux-policy.noarch 3.9.16-35.fc15 @updates selinux-policy-targeted.noarch 3.9.16-35.fc15 @updates sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 26 Policy from config file: targeted Same spice.te / spice.pp as in my first post. Sorry for the trouble, not really sure why I was having a problem, all I did was reboot the KVM guest and now it works as expected. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Ok, please reopen if the problem still exists.