RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 799334 - libvirt network definition is restricted by selinux policy
Summary: libvirt network definition is restricted by selinux policy
Keywords:
Status: CLOSED DUPLICATE of bug 788985
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.3
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-02 14:10 UTC by Jaroslav Kortus
Modified: 2012-10-15 14:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-02 14:50:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jaroslav Kortus 2012-03-02 14:10:46 UTC 
Description of problem:
export NETNAME=cluster
virsh net-define $NETNAME.xml
virsh net-autostart $NETNAME
virsh net-start $NETNAME

are not possible due to selinux restrictions, failing at:
Mar  2 08:01:16 marathon-02 dnsmasq[2831]: failed to open pidfile /var/run/libvirt/network/cluster.pid: Permission denied



Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-137.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. see description
2.
3.
  
Actual results:
commands do not produce running virtual network due to selinux restriction

Expected results:
proper labels on new files (see additional info).

Additional info:
----
time->Fri Mar  2 07:47:49 2012
type=SYSCALL msg=audit(1330696069.686:54433): arch=c000003e syscall=2 success=no exit=-13 a0=1b88a70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=5654 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1330696069.686:54433): avc:  denied  { write } for  pid=5654 comm="dnsmasq" name="network" dev=dm-0 ino=2752733 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
----
time->Fri Mar  2 07:55:54 2012
type=SYSCALL msg=audit(1330696554.804:54467): arch=c000003e syscall=2 success=no exit=-13 a0=137aa70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=6044 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1330696554.804:54467): avc:  denied  { write } for  pid=6044 comm="dnsmasq" name="network" dev=dm-0 ino=2752733 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
----
time->Fri Mar  2 07:56:46 2012
type=SYSCALL msg=audit(1330696606.492:54491): arch=c000003e syscall=2 success=no exit=-13 a0=2467a70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=6185 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1330696606.492:54491): avc:  denied  { write } for  pid=6185 comm="dnsmasq" name="network" dev=dm-0 ino=2752733 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
----
time->Fri Mar  2 07:56:46 2012
type=SYSCALL msg=audit(1330696606.613:54515): arch=c000003e syscall=2 success=no exit=-13 a0=9cda70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=6294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1330696606.613:54515): avc:  denied  { write } for  pid=6294 comm="dnsmasq" name="network" dev=dm-0 ino=2752733 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
----
time->Fri Mar  2 07:56:50 2012
type=SYSCALL msg=audit(1330696610.733:54536): arch=c000003e syscall=2 success=no exit=-13 a0=cf5a70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=6434 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1330696610.733:54536): avc:  denied  { write } for  pid=6434 comm="dnsmasq" name="network" dev=dm-0 ino=2752733 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
----
time->Fri Mar  2 08:01:16 2012
type=SYSCALL msg=audit(1330696876.393:44611): arch=c000003e syscall=2 success=no exit=-13 a0=1bb1a70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1330696876.393:44611): avc:  denied  { write } for  pid=2833 comm="dnsmasq" name="network" dev=dm-0 ino=2752733 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
----
time->Fri Mar  2 08:01:36 2012
type=SYSCALL msg=audit(1330696896.835:44631): arch=c000003e syscall=2 success=yes exit=10 a0=70ca70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2944 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1330696896.835:44631): avc:  denied  { write } for  pid=2944 comm="dnsmasq" name="cluster.pid" dev=dm-0 ino=2752861 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1330696896.835:44631): avc:  denied  { create } for  pid=2944 comm="dnsmasq" name="cluster.pid" scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1330696896.835:44631): avc:  denied  { add_name } for  pid=2944 comm="dnsmasq" name="cluster.pid" scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1330696896.835:44631): avc:  denied  { write } for  pid=2944 comm="dnsmasq" name="network" dev=dm-0 ino=2752733 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir

# after setenforce 0 and retry:
[root@marathon-02 virsh_create_network]# restorecon -vnR /var/
restorecon reset /var/run/libvirt/qemu context unconfined_u:object_r:virt_var_run_t:s0->unconfined_u:object_r:qemu_var_run_t:s0
restorecon reset /var/run/libvirt/network context unconfined_u:object_r:virt_var_run_t:s0->unconfined_u:object_r:dnsmasq_var_run_t:s0
restorecon reset /var/run/libvirt/network/cluster.pid context system_u:object_r:virt_var_run_t:s0->system_u:object_r:dnsmasq_var_run_t:s0
restorecon reset /var/log/yum.log context system_u:object_r:var_log_t:s0->system_u:object_r:rpm_log_t:s0
Comment 3 Miroslav Grepl 2012-03-02 14:50:07 UTC 

*** This bug has been marked as a duplicate of bug 788985 ***
Note You need to log in before you can comment on or make changes to this bug.