Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1276251 - SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesystem /sys/fs/cgroup.
Summary: SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesyste...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker AcceptedFreezeExcepti...
: 1317960 (view as bug list)
Depends On:
Blocks: F24AlphaFreezeException F24FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2015-10-29 09:04 UTC by Joachim Frieben
Modified: 2016-03-23 16:56 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.13.1-177.fc24 selinux-policy-3.13.1-179.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-23 16:56:27 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Joachim Frieben 2015-10-29 09:04:32 UTC
Description of problem:
SELinux is preventing spice-vdagentd from 'getattr' accesses on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-156.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.3.0-0.rc7.git1.1.fc24.x86_64 #1
                              SMP Tue Oct 27 16:50:25 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-10-29 10:02:35 CET
Last Seen                     2015-10-29 10:02:35 CET
Local ID                      5defad19-42d3-407d-9b09-7560d6878e7c

Raw Audit Messages
type=AVC msg=audit(1446109355.534:570): avc:  denied  { getattr } for  pid=699 comm="spice-vdagentd" name="/" dev="tmpfs" ino=9622 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-3.13.1-156.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.0-0.rc7.git1.1.fc24.x86_64
type:           libreport

Comment 1 Giulio 'juliuxpigface' 2016-02-03 21:27:32 UTC
Description of problem:
I encounter this frequently; at least on every boot, but I suspect it pops up later too.

This might be related to bug 1296150

Version-Release number of selected component:
selinux-policy-3.13.1-168.fc24.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc1.git2.1.fc24.x86_64
type:           libreport

Comment 2 Giulio 'juliuxpigface' 2016-02-03 21:29:52 UTC
(In reply to Giulio 'juliuxpigface' from comment #1)
> Description of problem:
> I encounter this frequently; at least on every boot, but I suspect it pops
> up later too.
> 
> This might be related to bug 1296150
> 

Please disregard this description... It was not for this bug report but for another one. I apologize for the inconvenience it may have caused.

Comment 3 Petr Schindler 2016-02-16 13:41:44 UTC
Description of problem:
This selinux alert appears right after start of the system.

Version-Release number of selected component:
selinux-policy-3.13.1-171.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc3.git3.1.fc24.x86_64
type:           libreport

Comment 4 Jan Kurik 2016-02-24 15:48:04 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 5 Fedora Blocker Bugs Application 2016-03-06 23:40:24 UTC
Proposed as a Blocker for 24-final by Fedora user chrismurphy using the blocker tracking app because:

 This denial comes up on Workstation lives during live boot and post-install.
selinux-policy-3.13.1-176.fc24.noarch
Fedora-Workstation-Live-x86_64-24-20160305.0.iso. 

"SELinux and crash notifications
There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "

Pretty sure this is not an selinux-policy bug, but is systemd setting the label on /sys/fs/cgroup.

Comment 6 Kamil Páral 2016-03-07 18:11:20 UTC
Discussed at today's blocker review meeting [1]. Accepted as a Final blocker -  it's a clear violation of "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop."

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2016-03-07/

Comment 7 Lukas Vrabec 2016-03-08 14:20:25 UTC
commit f79000faf875b13dc06ef5020345eaf23396039a
Author: Lukas Vrabec <lvrabec>
Date:   Tue Mar 8 14:48:57 2016 +0100

    Allow spice-vdagent to getattr on tmpfs_t filesystems
    Resolves: rhbz#1276251

Comment 8 Fedora Update System 2016-03-11 09:56:12 UTC
selinux-policy-3.13.1-178.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015

Comment 9 Fedora Update System 2016-03-11 19:25:53 UTC
selinux-policy-3.13.1-178.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1350c96015

Comment 10 Mairi Dulaney 2016-03-15 18:59:46 UTC
*** Bug 1317960 has been marked as a duplicate of this bug. ***

Comment 11 Fedora Update System 2016-03-16 13:42:10 UTC
selinux-policy-3.13.1-179.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969

Comment 12 Fedora Update System 2016-03-18 14:58:44 UTC
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-8f142bb969

Comment 13 Adam Williamson 2016-03-18 21:49:00 UTC
Description of problem:
Booted the F24 Alpha 1.5 Workstation x86_64 live image in a KVM, this denial appeared as soon as the desktop came up. I do notice that I can't seem to cut/paste into or out of the VM - this denial may be why?

Version-Release number of selected component:
selinux-policy-3.13.1-176.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc7.git0.2.fc24.x86_64
type:           libreport

Comment 14 Adam Williamson 2016-03-18 21:50:40 UTC
Proposing as an Alpha freeze exception; avoiding an AVC out-of-the-box seems like a good idea, and if this would also fix copying/pasting into/out of a VM while running live, that's significant too.

Comment 15 Dennis Gilmore 2016-03-18 22:13:27 UTC
+1 FE

Comment 16 Kevin Fenzi 2016-03-18 22:15:12 UTC
Sure, +1 FE

Comment 17 Adam Williamson 2016-03-18 22:16:13 UTC
That's +3, marking accepted.

Comment 18 Adam Williamson 2016-03-19 20:26:38 UTC
The update has not yet gone stable. Please do not close the bug. If it's closed, we won't notice that it needs a stable push.

Comment 19 Fedora Update System 2016-03-23 16:54:49 UTC
selinux-policy-3.13.1-179.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.