Bug 805907 - spice-vdagent does not work in Fedora 17 with selinux enabled
spice-vdagent does not work in Fedora 17 with selinux enabled
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-03-22 08:25 EDT by Hans de Goede
Modified: 2012-04-11 22:38 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-106.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-04-11 22:38:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Log file with all AVC-s noticed while running / using the agent. (3.08 KB, text/plain)
2012-03-22 08:25 EDT, Hans de Goede
no flags Details

  None (edit)
Description Hans de Goede 2012-03-22 08:25:17 EDT
Created attachment 571978 [details]
Log file with all AVC-s noticed while running / using the agent.


First of all if you try to reproduce this / test a fix for it, you need to use this spice-vdagent (or newer):

The reason for this, and also the reason for the need to update the selinux policy is that in F-17 there is no more consolekit, so the latest version of the agent (also) supports using libsystemd-login to get the session info it needs.

I've tried to make life easier for you by gathering all the AVC-s, putting them through audit2allow and verify that the generated module fixed the issues I'm seeing. But it does not! With the attached AVC-s run through audit2allow, and the generated module installed I no longer get any AVC-s, but the agent still malfunctions,!

To be precise it logs the following to /var/log/spice-vdagentd/spice-vdagentd.log:
"Error getting session for pid 984: Permission denied",
each time a user logs in to a graphical session (which starts the per user session part of the agent). Doing  "setenforce 0" followed by a logout / login (note no vdagentd restart needed) makes this message go away
and after that the agent functions as it should (ie one can copy paste between the vm and apps runnning next to the client viewing the vm).

I must say I'm a bit mystified about selinux blocking the agent without logging an AVC, hopefully you can figure out the cause.


Comment 1 Miroslav Grepl 2012-03-22 08:47:35 EDT
Were you trying to collect all AVC msgs in permissive mode?
Comment 2 Miroslav Grepl 2012-03-22 09:18:18 EDT
I added fixes to F17.
Comment 3 Hans de Goede 2012-03-22 09:50:26 EDT
(In reply to comment #1)
> Were you trying to collect all AVC msgs in permissive mode?

Yes and no. At first I did a number of the following cycles while in enforcing mode:
-vdagentd does not work -> look in audit.og
-collect AVC-s, add to AVC-s from previous cycle
-feed collected AVC-s to audit2allow
-remove previous version of selinux module made by audit2allow
-install new selinux module

When that failed to get me any further I moved to permissive mode, which did get me 3
additional AVC's (so it seems that in enforcing mode it failed before it go to these 3), which
I also added my AVC list, then audit2allow, rinse repeat ... But in the end I failed to get it
to work in enforcing mode this way.

(In reply to comment #2)
> I added fixes to F17.

Good, I assume you will update this bug when a build with those fixes in gets done? Then I'll give the new
policy a try.


You changed the component to 0xffff I assume that was accidental so I'm changing it back.
Comment 4 Miroslav Grepl 2012-03-22 10:08:41 EDT
This does my browser ... it does not like selinux-policy component :).

Yes, I am going to do a new build today which you could test.
Comment 5 Fedora Update System 2012-03-22 15:27:56 EDT
selinux-policy-3.10.0-106.fc17 has been submitted as an update for Fedora 17.
Comment 6 Fedora Update System 2012-03-25 17:29:57 EDT
Package selinux-policy-3.10.0-106.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-106.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 7 Miroslav Grepl 2012-03-26 05:00:50 EDT
did you test it with the latest build from koji?
Comment 8 Hans de Goede 2012-03-26 05:43:20 EDT

(In reply to comment #7)
> Hans,
> did you test it with the latest build from koji?

I just did, works iike a charm! Thanks for the quick fix!


Comment 9 Fedora Update System 2012-04-11 22:38:39 EDT
selinux-policy-3.10.0-106.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.