Bug 995434 - Cannot create virtual machine in VirtManager in enforcing after system update
Summary: Cannot create virtual machine in VirtManager in enforcing after system update
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-09 11:15 UTC by Michal Trunecka
Modified: 2014-09-30 23:35 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-214.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:48:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Michal Trunecka 2013-08-09 11:15:32 UTC 
Description of problem:

SELinux is preventing /usr/sbin/lldpad from sendto access on the unix_dgram_socket @00022.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that lldpad should be allowed sendto access on the @00022 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lldpad /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:lldpad_t:s0
Target Context                system_u:system_r:fcoemon_t:s0
Target Objects                @00022 [ unix_dgram_socket ]
Source                        lldpad
Source Path                   /usr/sbin/lldpad
Port                          <Unknown>
Host                          dhcp-25-142.brq.redhat.com
Source RPM Packages           lldpad-0.9.45-7.el6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-211.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     dhcp-25-142.brq.redhat.com
Platform                      Linux dhcp-25-142.brq.redhat.com
                              2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41
                              EST 2013 x86_64 x86_64
Alert Count                   4
First Seen                    Fri 09 Aug 2013 01:05:03 PM CEST
Last Seen                     Fri 09 Aug 2013 01:07:23 PM CEST
Local ID                      0bdce7c6-d5a9-4048-86ed-a9e4e10862f3

Raw Audit Messages
type=AVC msg=audit(1376046443.294:69876): avc:  denied  { sendto } for  pid=2755 comm="lldpad" path=003030303232 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=unix_dgram_socket


type=SYSCALL msg=audit(1376046443.294:69876): arch=x86_64 syscall=sendto success=yes exit=ENOEXEC a0=4 a1=164f160 a2=8 a3=0 items=0 ppid=1 pid=2755 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null)

Hash: lldpad,lldpad_t,fcoemon_t,unix_dgram_socket,sendto

audit2allow

#============= lldpad_t ==============
allow lldpad_t fcoemon_t:unix_dgram_socket sendto;

audit2allow -R

#============= lldpad_t ==============
allow lldpad_t fcoemon_t:unix_dgram_socket sendto;




Steps to Reproduce:
1. Just create virtual machine via VirtManager. Almost default, just Video changed to vga and NIC changed to bridged.
2.
Comment 1 Miroslav Grepl 2013-08-09 12:37:02 UTC 
Did you disable unconfined module?
Comment 2 Miroslav Grepl 2013-08-09 12:38:00 UTC 
optional_policy(`
    fcoemon_dgram_send(lldpad_t)
')

will be added. But it should work with enabled unconfined module because of 

optional_policy(`
    unconfined_domain(lldpad_t)
')
Comment 3 Michal Trunecka 2013-08-09 13:09:26 UTC 
Yes, I was running with disabled unconfined module.
Comment 6 errata-xmlrpc 2013-11-21 10:48:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.