View Issue Details

IDProjectCategoryView StatusLast Update
0017434CentOS-7selinux-policypublic2020-08-06 14:23
Reportergwald 
PrioritynormalSeverityblockReproducibilityalways
Status newResolutionopen 
Product Version7.8-2003 
Target VersionFixed in Version 
Summary0017434: SELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /run/libvirt/virtlockd-sock
DescriptionSELinux is preventing /usr/sbin/libvirtd from connectto access on the unix_stream_socket /run/libvirt/virtlockd-sock.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that libvirtd should be allowed connectto access on the virtlockd-sock unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'libvirtd' --raw | audit2allow -M my-libvirtd
# semodule -i my-libvirtd.pp


Additional Information:
Source Context system_u:system_r:svirt_t:s0:c397,c1008
Target Context system_u:system_r:virtlogd_t:s0-s0:c0.c1023
Target Objects /run/libvirt/virtlockd-sock [ unix_stream_socket ]
Source libvirtd
Source Path /usr/sbin/libvirtd
Port <Unknown>
Host al30-web09.belwue.de
Source RPM Packages libvirt-daemon-4.5.0-33.el7_8.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-266.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name al30-web09.belwue.de
Platform Linux al30-web09.belwue.de
                              3.10.0-1127.8.2.el7.x86_64 #1 SMP Tue May 12
                              16:57:42 UTC 2020 x86_64 x86_64
Alert Count 1
First Seen 2020-06-05 10:59:42 CEST
Last Seen 2020-06-05 10:59:42 CEST
Local ID 1fef31e2-d10d-4feb-93eb-1feddf85e0f7

Raw Audit Messages
type=AVC msg=audit(1591347582.859:23909): avc: denied { connectto } for pid=121435 comm="libvirtd" path="/run/libvirt/virtlockd-sock" scontext=system_u:system_r:svirt_t:s0:c397,c1008 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


type=SYSCALL msg=audit(1591347582.859:23909): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7f94e57b9f10 a2=6e a3=6b636f732d646b items=0 ppid=1 pid=121435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)

Hash: libvirtd,svirt_t,virtlogd_t,unix_stream_socket,connectto
Steps To Reproduce- Update to 7.8.2003
- call:
/usr/bin/virt-install --connect "qemu:///system" --wait 0 --noautoconsole --vnc --accelerate --name testvm --memory 2048 --vcpus 2 --os-variant rhel7.0 --network network:default --location http://cobbler01/cblr/links/CentOS-7-DVD-2003-x86_64 --extra-args="inst.text inst.ks.sendmac console=ttyS0,115200 rd.neednet=1 inst.ks=http://cobbler01/cblr/svc/op/ks/system/testvm" --disk "cache=none,path=/srv/kvm/images/testvm-disk0,size=30,format=raw"

Output:
Starting install...
Retrieving file vmlinuz... | 6.4 MB 00:00:00
Retrieving file initrd.img... | 53 MB 00:00:00
Allocating 'testvm-disk0' | 30 GB 00:00:00
ERROR internal error: Process exited prior to exec: libvirt: XML-RPC error : Failed to connect socket to '/var/run/libvirt/virtlockd-sock': Permission denied
Removing disk 'testvm-disk0' | 0 B 00:00:00
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start testvm
otherwise, please restart your installation.

- journalctl -t setroubleshoot | grep virtlockd-sock
- sealert -l <THE-UUID-YOU-SEE>
TagsNo tags attached.
abrt_hash
URL

Activities

gwald

gwald

2020-06-16 06:22

reporter   ~0037120

A "yum update", which brought "libvirt-4.5.0-33.el7_8.1" and "selinux-policy-*3.13.1-266.el7" solved the Problem
gwald

gwald

2020-06-17 04:47

reporter   ~0037133

Grrr - test was on the wrong machine :-((

Problem still exists:

#> cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)

#> yum list libvirt 'selinux*'
libvirt.x86_64 4.5.0-33.el7_8.1
selinux-policy.noarch 3.13.1-266.el7
selinux-policy-targeted.noarch 3.13.1-266.el7
gwald

gwald

2020-06-19 06:27

reporter   ~0037166

More investigation:

- Install CentOS 7.7
- Update to CentOS 7.8
- Aktivate lock_manager = "lockd" in "/etc/libvirt/qemu.conf"
- The above Error occurs

Without updating “selinux-policy” and “selinux-policy-targeted” from Version 3.13.1-252.el7_7.6 to 3.13.1-266.el7 it works
gwald

gwald

2020-06-19 06:31

reporter   ~0037167

In our case we also use NFS so we have:

#> getsebool virt_use_nfs
virt_use_nfs --> on

So our workaround is:
- Building the Module as suggested in the first report
  -> ausearch -c 'libvirtd' --raw | audit2allow -M libvirtd_fix
- PLUS building a Module from another "sealert -l <UUID>"
  -> ausearch -c 'virtlockd' --raw | audit2allow -M virtlockd_fix
diego.santacruz

diego.santacruz

2020-08-06 14:23

reporter   ~0037505

I could workaround the issue with the above instructions, thanks!

The problem seems to be that in 7.7 virtlockd was labeled virtd_exec_t, but in 7.8 it is labeled virtlogd_exec_t, which seems to be wrong.

This change was done in selinux-policy 3.13.1-253 for https://bugzilla.redhat.com/show_bug.cgi?id=1714896.

But apparently upstream has a patch which introduces a specific virtlockd_exec_t label and related policy for libvirtlock: http://oss.tresys.com/pipermail/refpolicy/2015-September/007740.html, but it does not seem to be integrated with the package in CentOS 7.8.

Note also that this problem is also reported upstream at https://bugzilla.redhat.com/show_bug.cgi?id=1792713

Issue History

Date Modified Username Field Change
2020-06-05 09:35 gwald New Issue
2020-06-16 06:22 gwald Note Added: 0037120
2020-06-17 04:47 gwald Note Added: 0037133
2020-06-19 06:27 gwald Note Added: 0037166
2020-06-19 06:31 gwald Note Added: 0037167
2020-08-06 14:23 diego.santacruz Note Added: 0037505