[ovirt-devel] SELinux issue with f20 libvirtd
Simone Tiraboschi
stirabos at redhat.com
Wed Apr 1 09:38:16 UTC 2015
Hi,
I found an issue with an SELinux denial trying to deploy hosted-engine from oVirt 3.5.1 on fedora 20 with libvirtd from @updates
The issue is:
time->Tue Mar 31 17:45:09 2015
type=PROCTITLE msg=audit(1427816709.311:914): proctitle=2F7362696E2F6C64636F6E666967002D70
type=SYSCALL msg=audit(1427816709.311:914): arch=c000003e syscall=59 success=yes exit=0 a0=23f9af0 a1=23f9bf0 a2=23f8b60 a3=7ffcc784f150 items=0 ppid=7037 pid=7038 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1427816709.311:914): avc: denied { write } for pid=7038 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0
and /dev/vport2p1 seams to be badly labeled:
crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1
I was using:
libvirt-daemon.x86_64 1.1.3.9-1.fc20 @updates
selinux-policy.noarch 3.12.1-197.fc20 @updates
selinux-policy-targeted.noarch 3.12.1-197.fc20 @updates
The issue doesn't reproduce enabling virt-preview repo and using a fresher libvirtd.
Should I open a bug to have something back-ported on f20 libvirt or should we explicitly require virt-preview repo for oVirt 3.5.2 as we are doing for master?
ciao,
Simone
More information about the Devel
mailing list