Bug 997605 - SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from 'read' accesses on the file sandbox.cfg.
SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from 'read' ac...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-15 14:35 EDT by David Strauss
Modified: 2013-10-25 05:46 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-25 05:46:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Strauss 2013-08-15 14:35:18 EDT
Description of problem:
SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from 'read' accesses on the file sandbox.cfg.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that libvirt-sandbox-init-common should be allowed read access on the sandbox.cfg file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep libvirt-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c676,c783
Target Context                unconfined_u:object_r:virt_home_t:s0
Target Objects                sandbox.cfg [ file ]
Source                        libvirt-sandbox
Source Path                   /usr/libexec/libvirt-sandbox-init-common
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libvirt-sandbox-libs-0.2.0-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-65.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.9-302.fc19.x86_64 #1 SMP Sat
                              Jul 6 13:41:07 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-07-24 14:52:23 PDT
Last Seen                     2013-07-24 14:52:23 PDT
Local ID                      8e5efd6f-bf02-46fd-b5d8-15547f98b4ff

Raw Audit Messages
type=AVC msg=audit(1374702743.537:797): avc:  denied  { read } for  pid=8038 comm="libvirt-sandbox" name="sandbox.cfg" dev="dm-3" ino=6558473 scontext=system_u:system_r:svirt_lxc_net_t:s0:c676,c783 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file

type=SYSCALL msg=audit(1374702743.537:797): arch=x86_64 syscall=open success=no exit=EACCES a0=405ac0 a1=0 a2=0 a3=7fff2f359c40 items=0 ppid=0 pid=8038 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm=libvirt-sandbox exe=/usr/libexec/libvirt-sandbox-init-common subj=system_u:system_r:svirt_lxc_net_t:s0:c676,c783 key=(null)

Hash: libvirt-sandbox,svirt_lxc_net_t,virt_home_t,file,read

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.5-201.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-08-17 07:12:55 EDT
What command did you execute to get this AVC?
Comment 2 David Strauss 2013-08-18 22:57:16 EDT
I don't know what caused this AVC. It was in my selinux denials history from week or so back.

Note You need to log in before you can comment on or make changes to this bug.