-
Bug
-
Resolution: Unresolved
-
Major
-
CentOS Stream 10, rhel-10.0.beta
-
selinux-policy-40.13.6-1.el10
-
Yes
-
Urgent
-
sst_security_selinux
-
ssg_security
-
23
-
None
-
QE ack
-
False
-
-
No
-
None
-
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
None
The latest RHEL/CentOS 10 selinux-policy update breaks libvirt-dbus and thus cockpit-machines. Today's run with selinux-policy-40.13.4-1.el10.noarch is a complete failure, while a run from yesterday with selinux-policy-40.13.3-2.el10.noarch still works.
Trivial reproducer, any call to libvirt-dbus fails:
# busctl call org.libvirt /org/libvirt/QEMU org.libvirt.Connect ListDomains u 0
Call failed: Failed to connect socket to '/var/run/libvirt/virtqemud-sock': Permission denied
AVC avc: denied { connectto } for pid=3788 comm="pool-libvirt-db" path="/run/libvirt/virtqemud-sock" scontext=system_u:system_r:virt_dbus_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=unix_stream_socket permissive=0
Without libvirt-dbus, spawning libvirt directly also fails:
# virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1
WARNING Treating --wait 0 as --noautoconsole
WARNING The guest's network configuration may not support PXE
WARNING Requested memory 50 MiB is less than the recommended 128 MiB for OS alpinelinux3.8
Starting install...
ERROR GDBus.Error:org.freedesktop.DBus.Error.NoReply: Remote peer disconnected
Domain installation does not appear to have been successful.
which is due to
AVC avc: denied { create } for pid=3958 comm="systemd-machine" name="machine" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Both commands work after setenforce 0
- is cloned by
-
-
- Release Pending
-
- links to
