Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37822

SELinux denial when virtqemu is stopped: avc: denied { search } for comm="rpc-virtproxyd" dev="proc"

XMLWordPrintable

    • selinux-policy-40.13.4-1.el10
    • sst_security_selinux
    • ssg_security
    • 19
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • CentOS Stream
    • None
    • Fail
    • Automated
    • x86_64
    • None

      What were you trying to do that didn't work?

      I'm enabling cockpit-machines testing on CentOS 10 (and soon RHEL 10), and after a plethora of bugs inherited from Fedora 40, there is one CentOS 10 specific SELinux denial.

      I'm not sure if libvirt ships its own SELinux policy or relies on selinux-policy. In the latter case, please reassign.

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13.1-1.el10.noarch
      libvirt-dbus-1.4.1-4.el10.x86_64
      libvirt-daemon-proxy-10.0.0-3.el10.x86_64

      How reproducible:

      Always

      Steps to reproduce

      systemctl stop virtqemud virtqemud{,-ro,-admin}.socket
busctl call org.libvirt /org/libvirt/QEMU/domain org.libvirt.Domain GetHostname u 0

      Actual results

      Fails with

      Call failed: internal error: Cannot find start time for pid 5017

      which smells a bit like a polkit check? (libpolkit client library). The journal says why:

      audit[18923]: AVC avc:  denied  { search } for  pid=18923 comm="rpc-virtproxyd" name="6928" dev="proc" ino=135827 scontext=system_u:system_r:virtproxyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0 
audit[18923]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5568d4998380 a2=0 a3=0 items=0 ppid=1 pid=18923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtproxyd" exe="/usr/sbin/virtproxyd" subj=system_u:system_r:virtproxyd_t:s0 key=(null) 
audit: PROCTITLE proctitle=2F7573722F7362696E2F7669727470726F787964002D2D74696D656F757400313230 
virtproxyd[18923]: internal error: Cannot find start time for pid 6928 
virtproxyd[18923]: End of file while reading data: Input/output error

      Expected results

      It should fail like

      Call failed: Failed to connect socket to '/var/run/libvirt/virtqemud-sock': No such file or directory

      which is right because virtqemud is not running (or of course work if it is, but then the SELinux denial doesn't happen).

            rhn-support-zpytela Zdenek Pytela
            rhn-engineering-mpitt Martin Pitt
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: