956871 – SELinux is preventing /usr/sbin/libvirtd from 'connectto' accesses on the unix_stream_socket /home/dag/.config/libvirt/qemu/lib/Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor.

Bug 956871 - SELinux is preventing /usr/sbin/libvirtd from 'connectto' accesses on the unix_stream_socket /home/dag/.config/libvirt/qemu/lib/Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor.

Summary: SELinux is preventing /usr/sbin/libvirtd from 'connectto' accesses on the uni...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:82241efd65ae197a1b26b5c253f...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-25 20:21 UTC by Dag Odenhall
Modified:	2013-05-21 08:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.11.1-95.fc18
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-21 08:38:20 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dag Odenhall 2013-04-25 20:21:24 UTC

Description of problem:
Since making myself a staff_u SELinux user and enabling the selinuxuser_tcp_server and staff_use_svirt booleans this was the remaining AVC denial for starting a GNOME Boxes machine, and installing the module generated by audit2allow fixed it.
SELinux is preventing /usr/sbin/libvirtd from 'connectto' accesses on the unix_stream_socket /home/dag/.config/libvirt/qemu/lib/Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that libvirtd should be allowed connectto access on the Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep libvirtd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0:c389,c985
Target Context                staff_u:staff_r:svirt_t:s0:c389,c985
Target Objects                /home/dag/.config/libvirt/qemu/lib/Fedora-19
                              -Alpha-TC6-x86_64-netinst.iso.monitor [
                              unix_stream_socket ]
Source                        libvirtd
Source Path                   /usr/sbin/libvirtd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libvirt-daemon-0.10.2.4-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.8-202.fc18.x86_64 #1 SMP Wed
                              Apr 17 23:25:17 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-04-25 22:11:25 CEST
Last Seen                     2013-04-25 22:11:25 CEST
Local ID                      190f2f79-f98c-45b4-a60c-21ad39da682e

Raw Audit Messages
type=AVC msg=audit(1366920685.708:676): avc:  denied  { connectto } for  pid=15576 comm="libvirtd" path="/home/dag/.config/libvirt/qemu/lib/Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor" scontext=staff_u:staff_r:staff_t:s0:c389,c985 tcontext=staff_u:staff_r:svirt_t:s0:c389,c985 tclass=unix_stream_socket


type=SYSCALL msg=audit(1366920685.708:676): arch=x86_64 syscall=connect success=no exit=EACCES a0=17 a1=7f0ce27d7d40 a2=6e a3=3035626139323464 items=0 ppid=1 pid=15576 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=libvirtd exe=/usr/sbin/libvirtd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Hash: libvirtd,staff_t,svirt_t,unix_stream_socket,connectto

audit2allow

#============= staff_t ==============
allow staff_t svirt_t:unix_stream_socket connectto;

audit2allow -R
require {
	type staff_t;
	type svirt_t;
	class unix_stream_socket connectto;
}

#============= staff_t ==============
allow staff_t svirt_t:unix_stream_socket connectto;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.8-202.fc18.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-04-26 06:39:59 UTC

Are you using gnome-boxes?

Comment 2 Dag Odenhall 2013-04-26 13:36:01 UTC

(In reply to comment #1)
> Are you using gnome-boxes?

In deed.  See my description above:

> Since making myself a staff_u SELinux user and enabling the selinuxuser_tcp_server and staff_use_svirt booleans this was the remaining AVC denial for starting a GNOME Boxes machine, and installing the module generated by audit2allow fixed it.

Comment 3 Dag Odenhall 2013-04-28 12:49:23 UTC

If I reboot Boxes can't see or start machines any more.  If I setenforce 0 I can start a machine.  If I then setenforce 1 again, I can still start machines even after restarting Boxes.

Comment 4 Miroslav Grepl 2013-04-29 07:07:11 UTC

Yes, it is caused by missing rules in staff_use_svirt boolean. We have

optional_policy(`
    tunable_policy(`staff_use_svirt',`
        allow staff_t self:fifo_file relabelfrom;
        dev_rw_kvm(staff_t)
        virt_manage_images(staff_t)
    ')
')


If you execute

# grep libvirtd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


does it work then?

Comment 5 Miroslav Grepl 2013-04-29 08:19:49 UTC

Ah, I see it now that it works for you with a local policy.

Comment 6 Dag Odenhall 2013-04-29 08:40:12 UTC

Well the policy I included above only worked if GNOME Boxes was started once in Permissive first.  The following policy seems to work in a fully Enforcing environment:

module local_gnome_boxes 1.0;

require {
	type staff_t;
	type staff_dbusd_t;
	type virtd_exec_t;
	type dnsmasq_exec_t;
	type svirt_t;
	class process { siginh noatsecure rlimitinh };
	class unix_stream_socket connectto;
	class file { read execute open getattr execute_no_trans };
}

#============= staff_dbusd_t ==============
allow staff_dbusd_t staff_t:process { siginh rlimitinh noatsecure };

#============= staff_t ==============
allow staff_t dnsmasq_exec_t:file getattr;
allow staff_t svirt_t:unix_stream_socket connectto;
allow staff_t virtd_exec_t:file { read execute open execute_no_trans };

Comment 7 Daniel Walsh 2013-05-07 19:15:53 UTC

allow staff_t svirt_t:unix_stream_socket connectto;
allow staff_t virtd_exec_t:file { read execute open execute_no_trans };

These are probably the ones we need.


ab28ac3af2c334e53438591643a76013f2ad5bba
43f6627be5c6403e9798498fc30bf92174bebf0d
Allow this access.

Comment 8 Fedora Update System 2013-05-07 21:29:25 UTC

selinux-policy-3.11.1-94.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-94.fc18

Comment 9 Fedora Update System 2013-05-09 10:12:10 UTC

Package selinux-policy-3.11.1-94.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-94.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7743/selinux-policy-3.11.1-94.fc18
then log in and leave karma (feedback).

Comment 10 Dag Odenhall 2013-05-09 17:22:49 UTC

The new policy does not fix my issue.  Or does `semanage -r local_gnome_boxes` revert the rules in my module regardless of any rules in the system policy?

Comment 11 Dag Odenhall 2013-05-09 17:23:30 UTC

Sorry, I meant `semodule -r` of course.

Comment 12 Daniel Walsh 2013-05-09 18:54:54 UTC

What AVC's are you seeing now?

Comment 13 Miroslav Grepl 2013-05-10 09:09:13 UTC

Well the problem is the latest rules are not in this update.

Added.

Comment 14 Fedora Update System 2013-05-17 10:59:20 UTC

selinux-policy-3.11.1-95.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-95.fc18

Comment 15 Fedora Update System 2013-05-19 02:42:43 UTC

Package selinux-policy-3.11.1-95.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-95.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8591/selinux-policy-3.11.1-95.fc18
then log in and leave karma (feedback).

Comment 16 Dag Odenhall 2013-05-19 21:00:14 UTC

Works with selinux-policy-3.11.1-95.fc18.noarch, thanks!

Comment 17 Fedora Update System 2013-05-21 08:38:20 UTC

selinux-policy-3.11.1-95.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.