Your message dated Thu, 12 Oct 2017 14:27:52 +0200 with message-id <[email protected]> and subject line Re: Bug#758464: SELinux policy updated has caused the Debian Bug report #758464, regarding selinux-policy-default: Impossible to use libvirt(d) if enforcing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 758464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758464 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: selinux-policy-default Version: 2:2.20140421-4 Severity: important Dear Maintainer, it is impossible to use tools based on or using libvirt when enforcing is set to on. root@nestor:~# virsh -c qemu:///system list error: failed to connect to the hypervisor error: no connection driver available for qemu:///system Also tools like 'virt-manager' show the same problem. >From journal: Aug 17 20:03:30 nestor libvirtd[676]: no connection driver available for qemu:///system Aug 17 20:03:34 nestor libvirtd[676]: End of file while reading data: Input/output error When using permissive mode, everything works fine. I did not find any logs when enforcing - maybe because of the early start phase of the process libvirtd. The following AVCs are logged when using permissive mode: type=SYSCALL msg=audit(08/17/2014 20:25:19.411:96) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7fff92a84000 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=1 pid=670 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirtd exe=/usr/sbin/libvirtd subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/17/2014 20:25:19.411:96) : avc: denied { execstack } for pid=670 comm=libvirtd scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(08/17/2014 20:25:21.731:105) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7fff701df000 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=670 pid=731 auid=unset uid=libvirt-qemu gid=libvirt-qemu euid=libvirt-qemu suid=libvirt-qemu fsuid=libvirt-qemu egid=libvirt-qemu sgid=libvirt-qemu fsgid=libvirt-qemu tty=(none) ses=unset comm=qemu-system-i38 exe=/usr/bin/qemu-system-i386 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/17/2014 20:25:21.731:105) : avc: denied { execstack } for pid=731 comm=qemu-system-i38 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process IMHO this is important, because it is not possible to just temporarily set SELinux to permissive, do some tasks and set it back to enforcing. When using libvirtd the system cannot run in enforcing mode. Kind regards Andre -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.14-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.8-3 ii libselinux1 2.3-1 ii libsepol1 2.3-1 ii policycoreutils 2.3-1 ii python 2.7.8-1 ii selinux-utils 2.3-1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.3-1 ii setools 3.3.8-3 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information
--- End Message ---
--- Begin Message ---Version: libvirt/3.0.0-4 Hi, On Fri, Feb 06, 2015 at 09:18:18AM +0000, Russell Coker wrote: > reassign 758464 libvirt-bin > thanks > > This bug has been accepted as an upstream issue. Please verify that Jessie > has the fixed version of virsh. This was fixed upstream ages ago so closing. Cheers, -- Guido
--- End Message ---
