[DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing
Andreas Florath
andre at flonatel.org
Sun Aug 17 18:59:35 UTC 2014
Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: important
Dear Maintainer,
it is impossible to use tools based on or using libvirt when
enforcing is set to on.
root at nestor:~# virsh -c qemu:///system list
error: failed to connect to the hypervisor
error: no connection driver available for qemu:///system
Also tools like 'virt-manager' show the same problem.
>From journal:
Aug 17 20:03:30 nestor libvirtd[676]: no connection driver available for qemu:///system
Aug 17 20:03:34 nestor libvirtd[676]: End of file while reading data: Input/output error
When using permissive mode, everything works fine.
I did not find any logs when enforcing - maybe because of the early start phase of
the process libvirtd.
The following AVCs are logged when using permissive mode:
type=SYSCALL msg=audit(08/17/2014 20:25:19.411:96) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7fff92a84000 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=1 pid=670 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/17/2014 20:25:19.411:96) : avc: denied { execstack } for pid=670 comm=libvirtd scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(08/17/2014 20:25:21.731:105) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7fff701df000 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=670 pid=731 auid=unset uid=libvirt-qemu gid=libvirt-qemu euid=libvirt-qemu suid=libvirt-qemu fsuid=libvirt-qemu egid=libvirt-qemu sgid=libvirt-qemu fsgid=libvirt-qemu tty=(none) ses=unset comm=qemu-system-i38 exe=/usr/bin/qemu-system-i386 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/17/2014 20:25:21.731:105) : avc: denied { execstack } for pid=731 comm=qemu-system-i38 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
IMHO this is important, because it is not possible to just temporarily
set SELinux to permissive, do some tasks and set it back to enforcing.
When using libvirtd the system cannot run in enforcing mode.
Kind regards
Andre
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3
ii libselinux1 2.3-1
ii libsepol1 2.3-1
ii policycoreutils 2.3-1
ii python 2.7.8-1
ii selinux-utils 2.3-1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list