[ovirt-devel] SELinux issue with f20 libvirtd
Nir Soffer
nsoffer at redhat.com
Wed Apr 1 15:58:39 UTC 2015
----- Original Message -----
> From: "Simone Tiraboschi" <stirabos at redhat.com>
> To: devel at ovirt.org
> Sent: Wednesday, April 1, 2015 12:38:16 PM
> Subject: [ovirt-devel] SELinux issue with f20 libvirtd
>
> Hi,
> I found an issue with an SELinux denial trying to deploy hosted-engine from
> oVirt 3.5.1 on fedora 20 with libvirtd from @updates
>
> The issue is:
> time->Tue Mar 31 17:45:09 2015
> type=PROCTITLE msg=audit(1427816709.311:914):
> proctitle=2F7362696E2F6C64636F6E666967002D70
> type=SYSCALL msg=audit(1427816709.311:914): arch=c000003e syscall=59
> success=yes exit=0 a0=23f9af0 a1=23f9bf0 a2=23f8b60 a3=7ffcc784f150 items=0
> ppid=7037 pid=7038 auid=4294967295 uid=175 gid=175 euid=175 suid=175
> fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295
> comm="ldconfig" exe="/usr/sbin/ldconfig"
> subj=system_u:system_r:ldconfig_t:s0 key=(null)
> type=AVC msg=audit(1427816709.311:914): avc: denied { write } for pid=7038
> comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9984
> scontext=system_u:system_r:ldconfig_t:s0
> tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0
>
> and /dev/vport2p1 seams to be badly labeled:
> crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0
> /dev/vport2p1
>
> I was using:
> libvirt-daemon.x86_64 1.1.3.9-1.fc20 @updates
> selinux-policy.noarch 3.12.1-197.fc20 @updates
> selinux-policy-targeted.noarch 3.12.1-197.fc20 @updates
>
> The issue doesn't reproduce enabling virt-preview repo and using a fresher
> libvirtd.
>
> Should I open a bug to have something back-ported on f20 libvirt or should we
> explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for
> master?
I think you should open a bug for libvirt and or selinux. This is probably an
selinux issue, but libvirt guys should be in the loop.
If the platform cannot provide a fix for fedora 20, we can require virt-preview.
Adding Eric who can give a better answer.
Nir
More information about the Devel
mailing list