Bug 848860 - AVC while trying to run /usr/bin/firewall-cmd from confined libvirtd
Summary: AVC while trying to run /usr/bin/firewall-cmd from confined libvirtd
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 18
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-16 15:43 UTC by Laine Stump
Modified: 2012-08-16 17:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-16 17:53:29 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Laine Stump 2012-08-16 15:43:20 UTC
We're trying to switch libvirt over to using firewalld rather than calling iptables and ebtables directly (firewalld is present in F17, but disabled by default; it will be enabled by default in F18). The interaction with firewalld is through that package's commandline utility, /usr/bin/firewall-cmd.

When we try to call firewall-cmd from libvirtd, we get the following AVC:

type=USER_AVC msg=audit(1345131322.154:3428): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.256 spid=10350 tpid=11648 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I've rerun in permissive mode and this is the only AVC that shows up in the audit logs, so hopefully a policy for just this one thing will permit it to run.

Comment 1 Daniel Walsh 2012-08-16 17:53:29 UTC
Fixed in selinux-policy-3.11.1-9.fc18.noarch


Note You need to log in before you can comment on or make changes to this bug.