For 6.4 spice-vdagent is being rebased to the latest upstream version (bug 842355). As part of this rebase it is moving to syslog instead of using its own logging code (bug 747894, fdo#49092). The selinux policy will need to be adjusted for this. Note for testing: current spice-vdagent package do not use syslog yet, but ones which do will be available soon.
will backport from Fedora.
During vdagent automated test, following AVCs showed up: ---- time->Fri Sep 7 10:39:24 2012 type=SYSCALL msg=audit(1347007164.351:200): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=3d455901a0 a2=6e a3=0 items=0 ppid=1 pid=5188 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="spice-vdagentd" exe="/usr/sbin/spice-vdagentd" subj=unconfined_u:system_r:vdagent_t:s0 key=(null) type=AVC msg=audit(1347007164.351:200): avc: denied { sendto } for pid=5188 comm="spice-vdagentd" path="/dev/log" scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1347007164.351:200): avc: denied { write } for pid=5188 comm="spice-vdagentd" name="log" dev=devtmpfs ino=10962 scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file type=AVC msg=audit(1347007164.351:200): avc: denied { connect } for pid=5188 comm="spice-vdagentd" scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=unconfined_u:system_r:vdagent_t:s0 tclass=unix_dgram_socket ---- time->Fri Sep 7 10:39:24 2012 type=SYSCALL msg=audit(1347007164.350:199): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=5188 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="spice-vdagentd" exe="/usr/sbin/spice-vdagentd" subj=unconfined_u:system_r:vdagent_t:s0 key=(null) type=AVC msg=audit(1347007164.350:199): avc: denied { create } for pid=5188 comm="spice-vdagentd" scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=unconfined_u:system_r:vdagent_t:s0 tclass=unix_dgram_socket
Following AVCs were reported with policy version 3.7.19-161.el6 [root@dhcp-25-115 bz682416-spice-vdagentd-and-similar]# rpm -qa selinux-policy\* selinux-policy-3.7.19-161.el6.noarch selinux-policy-minimum-3.7.19-161.el6.noarch selinux-policy-targeted-3.7.19-161.el6.noarch selinux-policy-mls-3.7.19-161.el6.noarch selinux-policy-doc-3.7.19-161.el6.noarch ---- time->Tue Sep 11 09:07:16 2012 type=SYSCALL msg=audit(1347347236.823:3566): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=15603 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="spice-vdagentd" exe="/usr/sbin/spice-vdagentd" subj=unconfined_u:system_r:vdagent_t:s0 key=(null) type=AVC msg=audit(1347347236.823:3566): avc: denied { create } for pid=15603 comm="spice-vdagentd" scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=unconfined_u:system_r:vdagent_t:s0 tclass=unix_dgram_socket ---- time->Tue Sep 11 09:07:16 2012 type=PATH msg=audit(1347347236.823:3567): item=0 name=(null) inode=310097 dev=00:05 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:devlog_t:s0 type=SOCKADDR msg=audit(1347347236.823:3567): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1347347236.823:3567): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=33a99901a0 a2=6e a3=0 items=1 ppid=1 pid=15603 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="spice-vdagentd" exe="/usr/sbin/spice-vdagentd" subj=unconfined_u:system_r:vdagent_t:s0 key=(null) type=AVC msg=audit(1347347236.823:3567): avc: denied { sendto } for pid=15603 comm="spice-vdagentd" path="/dev/log" scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=unconfined_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1347347236.823:3567): avc: denied { write } for pid=15603 comm="spice-vdagentd" name="log" dev=devtmpfs ino=310097 scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=unconfined_u:object_r:devlog_t:s0 tclass=sock_file type=AVC msg=audit(1347347236.823:3567): avc: denied { connect } for pid=15603 comm="spice-vdagentd" scontext=unconfined_u:system_r:vdagent_t:s0 tcontext=unconfined_u:system_r:vdagent_t:s0 tclass=unix_dgram_socket
Actually this is fixed. But there is a bug in the current build which is going to be fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html