[DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

Andreas Florath andre at flonatel.org
Sun Aug 17 18:59:35 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: important

Dear Maintainer,

it is impossible to use tools based on or using libvirt when
enforcing is set to on.

root at nestor:~# virsh -c qemu:///system list
error: failed to connect to the hypervisor
error: no connection driver available for qemu:///system

Also tools like 'virt-manager' show the same problem.

>From journal:
Aug 17 20:03:30 nestor libvirtd[676]: no connection driver available for qemu:///system
Aug 17 20:03:34 nestor libvirtd[676]: End of file while reading data: Input/output error

When using permissive mode, everything works fine.
I did not find any logs when enforcing - maybe because of the early start phase of
the process libvirtd.
The following AVCs are logged when using permissive mode:

type=SYSCALL msg=audit(08/17/2014 20:25:19.411:96) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7fff92a84000 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=1 pid=670 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/17/2014 20:25:19.411:96) : avc:  denied  { execstack } for  pid=670 comm=libvirtd scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process 
type=SYSCALL msg=audit(08/17/2014 20:25:21.731:105) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7fff701df000 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=670 pid=731 auid=unset uid=libvirt-qemu gid=libvirt-qemu euid=libvirt-qemu suid=libvirt-qemu fsuid=libvirt-qemu egid=libvirt-qemu sgid=libvirt-qemu fsgid=libvirt-qemu tty=(none) ses=unset comm=qemu-system-i38 exe=/usr/bin/qemu-system-i386 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/17/2014 20:25:21.731:105) : avc:  denied  { execstack } for  pid=731 comm=qemu-system-i38 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process 

IMHO this is important, because it is not possible to just temporarily 
set SELinux to permissive, do some tasks and set it back to enforcing.
When using libvirtd the system cannot run in enforcing mode.

Kind regards

Andre


-- System Information:
Debian Release: jessie/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3
ii  libselinux1      2.3-1
ii  libsepol1        2.3-1
ii  policycoreutils  2.3-1
ii  python           2.7.8-1
ii  selinux-utils    2.3-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list