Bug 997605 - SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from 'read' accesses on the file sandbox.cfg.
Summary: SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from 'read' ac...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:969db16fa6fbb1dabcd7d744706...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-15 18:35 UTC by David Strauss
Modified: 2013-10-25 09:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-25 09:46:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description David Strauss 2013-08-15 18:35:18 UTC 
Description of problem:
SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from 'read' accesses on the file sandbox.cfg.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that libvirt-sandbox-init-common should be allowed read access on the sandbox.cfg file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep libvirt-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c676,c783
Target Context                unconfined_u:object_r:virt_home_t:s0
Target Objects                sandbox.cfg [ file ]
Source                        libvirt-sandbox
Source Path                   /usr/libexec/libvirt-sandbox-init-common
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libvirt-sandbox-libs-0.2.0-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-65.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.9-302.fc19.x86_64 #1 SMP Sat
                              Jul 6 13:41:07 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-07-24 14:52:23 PDT
Last Seen                     2013-07-24 14:52:23 PDT
Local ID                      8e5efd6f-bf02-46fd-b5d8-15547f98b4ff

Raw Audit Messages
type=AVC msg=audit(1374702743.537:797): avc:  denied  { read } for  pid=8038 comm="libvirt-sandbox" name="sandbox.cfg" dev="dm-3" ino=6558473 scontext=system_u:system_r:svirt_lxc_net_t:s0:c676,c783 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file


type=SYSCALL msg=audit(1374702743.537:797): arch=x86_64 syscall=open success=no exit=EACCES a0=405ac0 a1=0 a2=0 a3=7fff2f359c40 items=0 ppid=0 pid=8038 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=pts0 comm=libvirt-sandbox exe=/usr/libexec/libvirt-sandbox-init-common subj=system_u:system_r:svirt_lxc_net_t:s0:c676,c783 key=(null)

Hash: libvirt-sandbox,svirt_lxc_net_t,virt_home_t,file,read

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.5-201.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-08-17 11:12:55 UTC 
What command did you execute to get this AVC?
Comment 2 David Strauss 2013-08-19 02:57:16 UTC 
I don't know what caused this AVC. It was in my selinux denials history from week or so back.
Note You need to log in before you can comment on or make changes to this bug.