Red Hat Bugzilla – Bug 805907
spice-vdagent does not work in Fedora 17 with selinux enabled
Last modified: 2012-04-11 22:38:39 EDT
Created attachment 571978 [details]
Log file with all AVC-s noticed while running / using the agent.
First of all if you try to reproduce this / test a fix for it, you need to use this spice-vdagent (or newer):
The reason for this, and also the reason for the need to update the selinux policy is that in F-17 there is no more consolekit, so the latest version of the agent (also) supports using libsystemd-login to get the session info it needs.
I've tried to make life easier for you by gathering all the AVC-s, putting them through audit2allow and verify that the generated module fixed the issues I'm seeing. But it does not! With the attached AVC-s run through audit2allow, and the generated module installed I no longer get any AVC-s, but the agent still malfunctions,!
To be precise it logs the following to /var/log/spice-vdagentd/spice-vdagentd.log:
"Error getting session for pid 984: Permission denied",
each time a user logs in to a graphical session (which starts the per user session part of the agent). Doing "setenforce 0" followed by a logout / login (note no vdagentd restart needed) makes this message go away
and after that the agent functions as it should (ie one can copy paste between the vm and apps runnning next to the client viewing the vm).
I must say I'm a bit mystified about selinux blocking the agent without logging an AVC, hopefully you can figure out the cause.
Were you trying to collect all AVC msgs in permissive mode?
I added fixes to F17.
(In reply to comment #1)
> Were you trying to collect all AVC msgs in permissive mode?
Yes and no. At first I did a number of the following cycles while in enforcing mode:
-vdagentd does not work -> look in audit.og
-collect AVC-s, add to AVC-s from previous cycle
-feed collected AVC-s to audit2allow
-remove previous version of selinux module made by audit2allow
-install new selinux module
When that failed to get me any further I moved to permissive mode, which did get me 3
additional AVC's (so it seems that in enforcing mode it failed before it go to these 3), which
I also added my AVC list, then audit2allow, rinse repeat ... But in the end I failed to get it
to work in enforcing mode this way.
(In reply to comment #2)
> I added fixes to F17.
Good, I assume you will update this bug when a build with those fixes in gets done? Then I'll give the new
policy a try.
You changed the component to 0xffff I assume that was accidental so I'm changing it back.
This does my browser ... it does not like selinux-policy component :).
Yes, I am going to do a new build today which you could test.
selinux-policy-3.10.0-106.fc17 has been submitted as an update for Fedora 17.
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-106.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
did you test it with the latest build from koji?
(In reply to comment #7)
> did you test it with the latest build from koji?
I just did, works iike a charm! Thanks for the quick fix!
selinux-policy-3.10.0-106.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.