Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-46893

selinux-policy-40.13.4-1.el10.noarch breaks libvirt-dbus and libvirt

XMLWordPrintable

    • selinux-policy-40.13.6-1.el10
    • Yes
    • Critical
    • rhel-sst-security-selinux
    • ssg_security
    • 23
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The busctl commands do not trigger SELinux denials. SELinux policy allows the communication between libvirt-dbus and other virt* services.

      Show
      The busctl commands do not trigger SELinux denials. SELinux policy allows the communication between libvirt-dbus and other virt* services.
    • Pass
    • Automated
    • Enhancement
    • Hide
      .Rules for additional `libvirt` services added to the SELinux policy

      The following SELinux types related to the `libvirt` services have been added to the SELinux policy:

      * `virt_dbus_t`
      * `virt_hook_unconfined_t`
      * `virt_qmf_t`
      * `virtinterfaced_t`
      * `virtnetworkd_t`
      * `virtnodedevd_t`
      * `virtnwfilterd_t`
      * `virtproxyd_t`
      * `virtqemud_t`
      * `virtsecretd_t`
      * `virtstoraged_t`
      * `virtvboxd_t`
      * `virtvzd_t`
      * `virtxend_t`
      Show
      .Rules for additional `libvirt` services added to the SELinux policy The following SELinux types related to the `libvirt` services have been added to the SELinux policy: * `virt_dbus_t` * `virt_hook_unconfined_t` * `virt_qmf_t` * `virtinterfaced_t` * `virtnetworkd_t` * `virtnodedevd_t` * `virtnwfilterd_t` * `virtproxyd_t` * `virtqemud_t` * `virtsecretd_t` * `virtstoraged_t` * `virtvboxd_t` * `virtvzd_t` * `virtxend_t`
    • Done
    • None

      The latest RHEL/CentOS 10 selinux-policy update breaks libvirt-dbus and thus cockpit-machines. Today's run with selinux-policy-40.13.4-1.el10.noarch is a complete failure, while a run from yesterday with selinux-policy-40.13.3-2.el10.noarch still works.

      Trivial reproducer, any call to libvirt-dbus fails:

      # busctl call org.libvirt /org/libvirt/QEMU org.libvirt.Connect ListDomains u 0
Call failed: Failed to connect socket to '/var/run/libvirt/virtqemud-sock': Permission denied

      AVC avc:  denied  { connectto } for  pid=3788 comm="pool-libvirt-db" path="/run/libvirt/virtqemud-sock" scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=unix_stream_socket permissive=0

      Without libvirt-dbus, spawning libvirt directly also fails:

      # virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1
WARNING  Treating --wait 0 as --noautoconsole
WARNING  The guest's network configuration may not support PXE
WARNING  Requested memory 50 MiB is less than the recommended 128 MiB for OS alpinelinux3.8

Starting install...
ERROR    GDBus.Error:org.freedesktop.DBus.Error.NoReply: Remote peer disconnected
Domain installation does not appear to have been successful.

      which is due to 

      AVC avc:  denied  { create } for  pid=3958 comm="systemd-machine" name="machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0

      Both commands work after setenforce 0

              rhn-support-zpytela Zdenek Pytela
              rhn-engineering-mpitt Martin Pitt
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: