Re: [ovirt-devel] SELinux issue with f20 libvirtd

From: "Simone Tiraboschi" <stirabos(a)redhat.com&gt; To: devel(a)ovirt.org Sent: Wednesday, April 1, 2015 12:38:16 PM Subject: [ovirt-devel] SELinux issue with f20 libvirtd Hi, I found an issue with an SELinux denial trying to deploy hosted-engine from oVirt 3.5.1 on fedora 20 with libvirtd from @updates The issue is: time->Tue Mar 31 17:45:09 2015 type=PROCTITLE msg=audit(1427816709.311:914): proctitle=2F7362696E2F6C64636F6E666967002D70 type=SYSCALL msg=audit(1427816709.311:914): arch=c000003e syscall=59 success=yes exit=0 a0=23f9af0 a1=23f9bf0 a2=23f8b60 a3=7ffcc784f150 items=0 ppid=7037 pid=7038 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1427816709.311:914): avc: denied { write } for pid=7038 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0 and /dev/vport2p1 seams to be badly labeled: crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1 I was using: libvirt-daemon.x86_64 1.1.3.9-1.fc20 @updates selinux-policy.noarch 3.12.1-197.fc20 @updates selinux-policy-targeted.noarch 3.12.1-197.fc20 @updates The issue doesn't reproduce enabling virt-preview repo and using a fresher libvirtd. Should I open a bug to have something back-ported on f20 libvirt or should we explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for master?