Package: selinux-policy-default
Version: 2:2.20140421-4
Severity: important
Dear Maintainer,
it is impossible to use tools based on or using libvirt when
enforcing is set to on.
root@nestor:~# virsh -c qemu:///system list
error: failed to connect to the hypervisor
error: no connection driver available for qemu:///system
Also tools like 'virt-manager' show the same problem.
>From journal:
Aug 17 20:03:30 nestor libvirtd[676]: no connection driver available for
qemu:///system
Aug 17 20:03:34 nestor libvirtd[676]: End of file while reading data:
Input/output error
When using permissive mode, everything works fine.
I did not find any logs when enforcing - maybe because of the early start phase
of
the process libvirtd.
The following AVCs are logged when using permissive mode:
type=SYSCALL msg=audit(08/17/2014 20:25:19.411:96) : arch=x86_64
syscall=mprotect success=yes exit=0 a0=0x7fff92a84000 a1=0x1000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=1 pid=670 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/17/2014 20:25:19.411:96) : avc: denied { execstack }
for pid=670 comm=libvirtd scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(08/17/2014 20:25:21.731:105) : arch=x86_64
syscall=mprotect success=yes exit=0 a0=0x7fff701df000 a1=0x1000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=670 pid=731 auid=unset
uid=libvirt-qemu gid=libvirt-qemu euid=libvirt-qemu suid=libvirt-qemu
fsuid=libvirt-qemu egid=libvirt-qemu sgid=libvirt-qemu fsgid=libvirt-qemu
tty=(none) ses=unset comm=qemu-system-i38 exe=/usr/bin/qemu-system-i386
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/17/2014 20:25:21.731:105) : avc: denied { execstack }
for pid=731 comm=qemu-system-i38
scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process
IMHO this is important, because it is not possible to just temporarily
set SELinux to permissive, do some tasks and set it back to enforcing.
When using libvirtd the system cannot run in enforcing mode.
Kind regards
Andre
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3
ii libselinux1 2.3-1
ii libsepol1 2.3-1
ii policycoreutils 2.3-1
ii python 2.7.8-1
ii selinux-utils 2.3-1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
