Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-37822

SELinux denial when virtqemu is stopped: avc: denied { search } for comm="rpc-virtproxyd" dev="proc"

XMLWordPrintable

    • selinux-policy-40.13.5-1.el10
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 21
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • CentOS Stream
    • None
    • Hide

      The steps to reproduce do not trigger any SELinux denials on a RHEL-10 machine with default configuration. The automated TC passes.

      Show
      The steps to reproduce do not trigger any SELinux denials on a RHEL-10 machine with default configuration. The automated TC passes.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • x86_64
    • None

      What were you trying to do that didn't work?

      I'm enabling cockpit-machines testing on CentOS 10 (and soon RHEL 10), and after a plethora of bugs inherited from Fedora 40, there is one CentOS 10 specific SELinux denial.

      I'm not sure if libvirt ships its own SELinux policy or relies on selinux-policy. In the latter case, please reassign.

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13.1-1.el10.noarch
      libvirt-dbus-1.4.1-4.el10.x86_64
      libvirt-daemon-proxy-10.0.0-3.el10.x86_64

      How reproducible:

      Always

      Steps to reproduce

      systemctl stop virtqemud virtqemud{,-ro,-admin}.socket
busctl call org.libvirt /org/libvirt/QEMU/domain org.libvirt.Domain GetHostname u 0

      Actual results

      Fails with

      Call failed: internal error: Cannot find start time for pid 5017

      which smells a bit like a polkit check? (libpolkit client library). The journal says why:

      audit[18923]: AVC avc:  denied  { search } for  pid=18923 comm="rpc-virtproxyd" name="6928" dev="proc" ino=135827 scontext=system_u:system_r:virtproxyd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=0 
audit[18923]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5568d4998380 a2=0 a3=0 items=0 ppid=1 pid=18923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtproxyd" exe="/usr/sbin/virtproxyd" subj=system_u:system_r:virtproxyd_t:s0 key=(null) 
audit: PROCTITLE proctitle=2F7573722F7362696E2F7669727470726F787964002D2D74696D656F757400313230 
virtproxyd[18923]: internal error: Cannot find start time for pid 6928 
virtproxyd[18923]: End of file while reading data: Input/output error

      Expected results

      It should fail like

      Call failed: Failed to connect socket to '/var/run/libvirt/virtqemud-sock': No such file or directory

      which is right because virtqemud is not running (or of course work if it is, but then the SELinux denial doesn't happen).

              rhn-support-zpytela Zdenek Pytela
              rhn-engineering-mpitt Martin Pitt
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: