[ovirt-devel] SELinux issue with f20 libvirtd

Simone Tiraboschi stirabos at redhat.com
Wed Apr 1 09:38:16 UTC 2015


Hi,
I found an issue with an SELinux denial trying to deploy hosted-engine from oVirt 3.5.1 on fedora 20 with libvirtd from @updates

The issue is:
time->Tue Mar 31 17:45:09 2015
type=PROCTITLE msg=audit(1427816709.311:914): proctitle=2F7362696E2F6C64636F6E666967002D70
type=SYSCALL msg=audit(1427816709.311:914): arch=c000003e syscall=59 success=yes exit=0 a0=23f9af0 a1=23f9bf0 a2=23f8b60 a3=7ffcc784f150 items=0 ppid=7037 pid=7038 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1427816709.311:914): avc:  denied  { write } for  pid=7038 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0

and /dev/vport2p1 seams to be badly labeled:
crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1

I was using:
libvirt-daemon.x86_64            1.1.3.9-1.fc20     @updates
selinux-policy.noarch            3.12.1-197.fc20    @updates                    
selinux-policy-targeted.noarch   3.12.1-197.fc20    @updates 

The issue doesn't reproduce enabling virt-preview repo and using a fresher libvirtd.

Should I open a bug to have something back-ported on f20 libvirt or should we explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for master?

ciao,
Simone



More information about the Devel mailing list