Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 975344 - SELinux is preventing spice-vdagentd from 'module_request' accesses on the system .
Summary: SELinux is preventing spice-vdagentd from 'module_request' accesses on the sy...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:12dfde6a68ad40fbc41fd6fee8b...
Depends On:
Blocks: F19-accepted, F19FinalFreezeException
TreeView+ depends on / blocked
 
Reported: 2013-06-18 07:44 UTC by Adam Williamson
Modified: 2013-06-23 06:27 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.12.1-54.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-23 06:27:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Adam Williamson 2013-06-18 07:44:19 UTC 
Description of problem:
Just booted the F19 Final TC5 LXDE live. Other desktop lives didn't do this; not sure if something's different on LXDE or it's a race of some kind.
SELinux is preventing spice-vdagentd from 'module_request' accesses on the system .

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow domain to kernel load modules
Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.
You can read 'None' man page for more details.
Do
setsebool -P domain_kernel_load_modules 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that spice-vdagentd should be allowed module_request access on the  system by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                 [ system ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-52.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.5-301.fc19.x86_64 #1 SMP Tue
                              Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-06-18 03:43:04 EDT
Last Seen                     2013-06-18 03:43:04 EDT
Local ID                      22e1da91-6530-4a65-bf9c-df678a197308

Raw Audit Messages
type=AVC msg=audit(1371541384.351:385): avc:  denied  { module_request } for  pid=509 comm="spice-vdagentd" kmod="char-major-10-223" scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system


Hash: spice-vdagentd,vdagent_t,kernel_t,system,module_request

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport
Comment 1 Adam Williamson 2013-06-18 07:45:13 UTC 
Nominating as a final freeze exception, "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ)" for a non-blocking desktop.
Comment 2 Adam Williamson 2013-06-18 08:09:01 UTC 
Same AVC on boot of the MATE-Compiz live image.
Comment 3 Miroslav Grepl 2013-06-18 10:09:58 UTC 
commit 6d823dd30a359aa75172626d652487c7bb4c6b3d
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jun 18 12:01:46 2013 +0200

    Make vdagent able to request loading kernel module
Comment 4 Adam Williamson 2013-06-18 16:53:12 UTC 
Thanks, mgrepl. As we're in final freeze and close to release, can you do a build/update fairly soon? Thanks!
Comment 5 Miroslav Grepl 2013-06-19 06:49:56 UTC 
Yes, will do ASAP. There are other bugs.
Comment 6 Adam Williamson 2013-06-19 19:02:02 UTC 
Discussed at 2013-06-19 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-19/f19final-blocker-review-7.2013-06-19-16.01.log.txt . Accepted as a freeze exception issue as a violation of the 'no AVCs' criterion for non-blocking desktops (so far this hasn't been reported for a GNOME or KDE install).
Comment 7 Fedora Update System 2013-06-19 20:34:59 UTC 
selinux-policy-3.12.1-53.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-53.fc19
Comment 8 Fedora Update System 2013-06-20 18:02:07 UTC 
Package selinux-policy-3.12.1-54.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-54.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11355/selinux-policy-3.12.1-54.fc19
then log in and leave karma (feedback).
Comment 9 Adam Williamson 2013-06-21 05:37:46 UTC 
Couple of install tests with LXDE TC6 seem to verify this is fixed.
Comment 10 Fedora Update System 2013-06-23 06:27:22 UTC 
selinux-policy-3.12.1-54.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.