Bug 975344 - SELinux is preventing spice-vdagentd from 'module_request' accesses on the system .
SELinux is preventing spice-vdagentd from 'module_request' accesses on the sy...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:12dfde6a68ad40fbc41fd6fee8b...
:
Depends On:
Blocks: F19-accepted/F19FinalFreezeException
  Show dependency treegraph
 
Reported: 2013-06-18 03:44 EDT by Adam Williamson
Modified: 2013-06-23 02:27 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-54.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-23 02:27:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Williamson 2013-06-18 03:44:19 EDT
Description of problem:
Just booted the F19 Final TC5 LXDE live. Other desktop lives didn't do this; not sure if something's different on LXDE or it's a race of some kind.
SELinux is preventing spice-vdagentd from 'module_request' accesses on the system .

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow domain to kernel load modules
Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.
You can read 'None' man page for more details.
Do
setsebool -P domain_kernel_load_modules 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that spice-vdagentd should be allowed module_request access on the  system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                 [ system ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-52.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.5-301.fc19.x86_64 #1 SMP Tue
                              Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-06-18 03:43:04 EDT
Last Seen                     2013-06-18 03:43:04 EDT
Local ID                      22e1da91-6530-4a65-bf9c-df678a197308

Raw Audit Messages
type=AVC msg=audit(1371541384.351:385): avc:  denied  { module_request } for  pid=509 comm="spice-vdagentd" kmod="char-major-10-223" scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: spice-vdagentd,vdagent_t,kernel_t,system,module_request

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport
Comment 1 Adam Williamson 2013-06-18 03:45:13 EDT
Nominating as a final freeze exception, "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ)" for a non-blocking desktop.
Comment 2 Adam Williamson 2013-06-18 04:09:01 EDT
Same AVC on boot of the MATE-Compiz live image.
Comment 3 Miroslav Grepl 2013-06-18 06:09:58 EDT
commit 6d823dd30a359aa75172626d652487c7bb4c6b3d
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Jun 18 12:01:46 2013 +0200

    Make vdagent able to request loading kernel module
Comment 4 Adam Williamson 2013-06-18 12:53:12 EDT
Thanks, mgrepl. As we're in final freeze and close to release, can you do a build/update fairly soon? Thanks!
Comment 5 Miroslav Grepl 2013-06-19 02:49:56 EDT
Yes, will do ASAP. There are other bugs.
Comment 6 Adam Williamson 2013-06-19 15:02:02 EDT
Discussed at 2013-06-19 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-19/f19final-blocker-review-7.2013-06-19-16.01.log.txt . Accepted as a freeze exception issue as a violation of the 'no AVCs' criterion for non-blocking desktops (so far this hasn't been reported for a GNOME or KDE install).
Comment 7 Fedora Update System 2013-06-19 16:34:59 EDT
selinux-policy-3.12.1-53.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-53.fc19
Comment 8 Fedora Update System 2013-06-20 14:02:07 EDT
Package selinux-policy-3.12.1-54.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-54.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11355/selinux-policy-3.12.1-54.fc19
then log in and leave karma (feedback).
Comment 9 Adam Williamson 2013-06-21 01:37:46 EDT
Couple of install tests with LXDE TC6 seem to verify this is fixed.
Comment 10 Fedora Update System 2013-06-23 02:27:22 EDT
selinux-policy-3.12.1-54.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.