Bug 887410 - SELinux is preventing /usr/sbin/libvirtd from using the 'signull' accesses on a process.
Summary: SELinux is preventing /usr/sbin/libvirtd from using the 'signull' accesses on...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:24be7851b63ff73028fa385c381...
Depends On:
TreeView+ depends on / blocked
Reported: 2012-12-14 23:41 UTC by Miroslav Grepl
Modified: 2013-01-11 23:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-01-11 23:13:50 UTC
Type: ---

Attachments (Terms of Use)

Description Miroslav Grepl 2012-12-14 23:41:03 UTC
Description of problem:
SELinux is preventing /usr/sbin/libvirtd from using the 'signull' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that libvirtd should be allowed signull access on processes labeled svirt_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep libvirtd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                staff_u:staff_r:svirt_t:s0:c8,c270
Target Objects                 [ process ]
Source                        libvirtd
Source Path                   /usr/sbin/libvirtd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           BDB2053 Freeing read locks for locker 0x1907:
                              5540/139953121544128 BDB2053 Freeing read locks
                              for locker 0x1908: 5540/139953121544128 BDB2053
                              Freeing read locks for locker 0x1909:
                              5540/139953121544128 BDB2053 Freeing read locks
                              for locker 0x190a: 5540/139953121544128 libvirt-
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-63.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.0-0.rc1.git6.1.fc18.x86_64 #1
                              SMP Tue Aug 14 12:13:12 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    2012-12-15 00:32:45 CET
Last Seen                     2012-12-15 00:37:02 CET
Local ID                      aad3591e-4ada-4294-bfc5-399ffeda6294

Raw Audit Messages
type=AVC msg=audit(1355528222.741:12278): avc:  denied  { signull } for  pid=3760 comm="libvirtd" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:svirt_t:s0:c8,c270 tclass=process

type=SYSCALL msg=audit(1355528222.741:12278): arch=x86_64 syscall=kill success=yes exit=0 a0=11e2 a1=0 a2=0 a3=5 items=0 ppid=1 pid=3760 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=11 comm=libvirtd exe=/usr/sbin/libvirtd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Hash: libvirtd,staff_t,svirt_t,process,signull


#============= staff_t ==============
allow staff_t svirt_t:process signull;

audit2allow -R

#============= staff_t ==============
allow staff_t svirt_t:process signull;

Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.0-0.rc1.git6.1.fc18.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2012-12-14 23:42:28 UTC
There are issues with "gnome-boxes+staff_r" SELinux role.

Comment 2 Daniel Walsh 2012-12-17 20:19:32 UTC
Fixed in selinux-policy-3.11.1-67.fc18.noarch

Comment 3 Fedora Update System 2012-12-21 10:31:42 UTC
selinux-policy-3.11.1-67.fc18 has been submitted as an update for Fedora 18.

Comment 4 Fedora Update System 2012-12-21 20:02:01 UTC
Package selinux-policy-3.11.1-67.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-67.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2013-01-11 23:13:51 UTC
selinux-policy-3.11.1-67.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.