-
Bug
-
Resolution: Won't Do
-
Minor
-
rhel-10.0.beta
-
None
-
Critical
-
rhel-sst-security-selinux
-
ssg_security
-
3
-
False
-
-
No
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
None
Description of problem:
log for virtnetworkd can not be set under path "/var/lib/"
Version-Release number of selected component (if applicable):
libvirt-10.4.0-1.el10.x86_64
selinux-policy-40.13.2-1.el10.noarch
How reproducible:
100%
Steps to Reproduce:
1. Set the virtnetworkd.log file path as "/var/lib/virtnetworkd.log" in the configuration file, then restart the service:
# getenforce Enforcing # cat /etc/libvirt/virtnetworkd.conf log_outputs="2:file:/var/lib/virtnetworkd.log" # systemctl restart virtnetworkd Job for virtnetworkd.service failed because the control process exited with error code. See "systemctl status virtnetworkd.service" and "journalctl -xeu virtnetworkd.service" for details.
2. check the audit logs, there are several avc denied logs about virtnetworkd like as below:
time->Wed Jun 12 09:08:21 2024 type=PROCTITLE msg=audit(1718197701.069:16111): proctitle=2F7573722F7362696E2F766972746E6574776F726B64002D2D74696D656F757400313230 type=SYSCALL msg=audit(1718197701.069:16111): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=558b52bf58e0 a2=441 a3=180 items=0 ppid=1 pid=261417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtnetworkd" exe="/usr/sbin/virtnetworkd" subj=system_u:system_r:virtnetworkd_t:s0 key=(null) type=AVC msg=audit(1718197701.069:16111): avc: denied { write } for pid=261417 comm="virtnetworkd" name="lib" dev="dm-0" ino=67108996 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Actual results:
log file for virtnetworkd can not be set under dir "/var/lib/"
Expected results:
log file can locate at "/var/lib/" as in rhel 9
Additional info:
Other services including virtinterfaced, virtnodedevd, virtnwfilterd, virtproxyd can not set logs under "/var/lib/", either. On rhel 9 with selinux-policy-38.1.38-1.el9.noarch, all these services can set logs under this "/var/lib/" dir.
- is related to
-
RHEL-68433 Openstack VMs can't run because they don't have permission to write console.log
- Closed