Description of problem: Since making myself a staff_u SELinux user and enabling the selinuxuser_tcp_server and staff_use_svirt booleans this was the remaining AVC denial for starting a GNOME Boxes machine, and installing the module generated by audit2allow fixed it. SELinux is preventing /usr/sbin/libvirtd from 'connectto' accesses on the unix_stream_socket /home/dag/.config/libvirt/qemu/lib/Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that libvirtd should be allowed connectto access on the Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep libvirtd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_t:s0:c389,c985 Target Context staff_u:staff_r:svirt_t:s0:c389,c985 Target Objects /home/dag/.config/libvirt/qemu/lib/Fedora-19 -Alpha-TC6-x86_64-netinst.iso.monitor [ unix_stream_socket ] Source libvirtd Source Path /usr/sbin/libvirtd Port <Unknown> Host (removed) Source RPM Packages libvirt-daemon-0.10.2.4-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-91.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.8-202.fc18.x86_64 #1 SMP Wed Apr 17 23:25:17 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-04-25 22:11:25 CEST Last Seen 2013-04-25 22:11:25 CEST Local ID 190f2f79-f98c-45b4-a60c-21ad39da682e Raw Audit Messages type=AVC msg=audit(1366920685.708:676): avc: denied { connectto } for pid=15576 comm="libvirtd" path="/home/dag/.config/libvirt/qemu/lib/Fedora-19-Alpha-TC6-x86_64-netinst.iso.monitor" scontext=staff_u:staff_r:staff_t:s0:c389,c985 tcontext=staff_u:staff_r:svirt_t:s0:c389,c985 tclass=unix_stream_socket type=SYSCALL msg=audit(1366920685.708:676): arch=x86_64 syscall=connect success=no exit=EACCES a0=17 a1=7f0ce27d7d40 a2=6e a3=3035626139323464 items=0 ppid=1 pid=15576 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=libvirtd exe=/usr/sbin/libvirtd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash: libvirtd,staff_t,svirt_t,unix_stream_socket,connectto audit2allow #============= staff_t ============== allow staff_t svirt_t:unix_stream_socket connectto; audit2allow -R require { type staff_t; type svirt_t; class unix_stream_socket connectto; } #============= staff_t ============== allow staff_t svirt_t:unix_stream_socket connectto; Additional info: hashmarkername: setroubleshoot kernel: 3.8.8-202.fc18.x86_64 type: libreport
Are you using gnome-boxes?
(In reply to comment #1) > Are you using gnome-boxes? In deed. See my description above: > Since making myself a staff_u SELinux user and enabling the selinuxuser_tcp_server and staff_use_svirt booleans this was the remaining AVC denial for starting a GNOME Boxes machine, and installing the module generated by audit2allow fixed it.
If I reboot Boxes can't see or start machines any more. If I setenforce 0 I can start a machine. If I then setenforce 1 again, I can still start machines even after restarting Boxes.
Yes, it is caused by missing rules in staff_use_svirt boolean. We have optional_policy(` tunable_policy(`staff_use_svirt',` allow staff_t self:fifo_file relabelfrom; dev_rw_kvm(staff_t) virt_manage_images(staff_t) ') ') If you execute # grep libvirtd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp does it work then?
Ah, I see it now that it works for you with a local policy.
Well the policy I included above only worked if GNOME Boxes was started once in Permissive first. The following policy seems to work in a fully Enforcing environment: module local_gnome_boxes 1.0; require { type staff_t; type staff_dbusd_t; type virtd_exec_t; type dnsmasq_exec_t; type svirt_t; class process { siginh noatsecure rlimitinh }; class unix_stream_socket connectto; class file { read execute open getattr execute_no_trans }; } #============= staff_dbusd_t ============== allow staff_dbusd_t staff_t:process { siginh rlimitinh noatsecure }; #============= staff_t ============== allow staff_t dnsmasq_exec_t:file getattr; allow staff_t svirt_t:unix_stream_socket connectto; allow staff_t virtd_exec_t:file { read execute open execute_no_trans };
allow staff_t svirt_t:unix_stream_socket connectto; allow staff_t virtd_exec_t:file { read execute open execute_no_trans }; These are probably the ones we need. ab28ac3af2c334e53438591643a76013f2ad5bba 43f6627be5c6403e9798498fc30bf92174bebf0d Allow this access.
selinux-policy-3.11.1-94.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-94.fc18
Package selinux-policy-3.11.1-94.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-94.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7743/selinux-policy-3.11.1-94.fc18 then log in and leave karma (feedback).
The new policy does not fix my issue. Or does `semanage -r local_gnome_boxes` revert the rules in my module regardless of any rules in the system policy?
Sorry, I meant `semodule -r` of course.
What AVC's are you seeing now?
Well the problem is the latest rules are not in this update. Added.
selinux-policy-3.11.1-95.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-95.fc18
Package selinux-policy-3.11.1-95.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-95.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-8591/selinux-policy-3.11.1-95.fc18 then log in and leave karma (feedback).
Works with selinux-policy-3.11.1-95.fc18.noarch, thanks!
selinux-policy-3.11.1-95.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.