Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1276251
Summary: | SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesystem /sys/fs/cgroup. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joachim Frieben <jfrieben> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 24 | CC: | akurtako, awilliam, bugzilla, dominick.grift, dwalsh, jdulaney, joe, juliux.pigface, kevin, kparal, lvrabec, mgrepl, plautrba, pschindl, robatino |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedBlocker AcceptedFreezeException abrt_hash:4c448210041e6735e634b0f187f19921984f87b02248a2fbe4edcf96f048f419;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-177.fc24 selinux-policy-3.13.1-179.fc24 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-03-23 16:56:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1230432, 1230435 |
Description
Joachim Frieben
2015-10-29 09:04:32 UTC
Description of problem: I encounter this frequently; at least on every boot, but I suspect it pops up later too. This might be related to bug 1296150 Version-Release number of selected component: selinux-policy-3.13.1-168.fc24.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.5.0-0.rc1.git2.1.fc24.x86_64 type: libreport (In reply to Giulio 'juliuxpigface' from comment #1) > Description of problem: > I encounter this frequently; at least on every boot, but I suspect it pops > up later too. > > This might be related to bug 1296150 > Please disregard this description... It was not for this bug report but for another one. I apologize for the inconvenience it may have caused. Description of problem: This selinux alert appears right after start of the system. Version-Release number of selected component: selinux-policy-3.13.1-171.fc24.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.5.0-0.rc3.git3.1.fc24.x86_64 type: libreport This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase Proposed as a Blocker for 24-final by Fedora user chrismurphy using the blocker tracking app because: This denial comes up on Workstation lives during live boot and post-install. selinux-policy-3.13.1-176.fc24.noarch Fedora-Workstation-Live-x86_64-24-20160305.0.iso. "SELinux and crash notifications There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. " Pretty sure this is not an selinux-policy bug, but is systemd setting the label on /sys/fs/cgroup. Discussed at today's blocker review meeting [1]. Accepted as a Final blocker - it's a clear violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2016-03-07/ commit f79000faf875b13dc06ef5020345eaf23396039a Author: Lukas Vrabec <lvrabec> Date: Tue Mar 8 14:48:57 2016 +0100 Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251 selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015 selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015 *** Bug 1317960 has been marked as a duplicate of this bug. *** selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969 selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969 Description of problem: Booted the F24 Alpha 1.5 Workstation x86_64 live image in a KVM, this denial appeared as soon as the desktop came up. I do notice that I can't seem to cut/paste into or out of the VM - this denial may be why? Version-Release number of selected component: selinux-policy-3.13.1-176.fc24.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.5.0-0.rc7.git0.2.fc24.x86_64 type: libreport Proposing as an Alpha freeze exception; avoiding an AVC out-of-the-box seems like a good idea, and if this would also fix copying/pasting into/out of a VM while running live, that's significant too. +1 FE Sure, +1 FE That's +3, marking accepted. The update has not yet gone stable. Please do not close the bug. If it's closed, we won't notice that it needs a stable push. selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |