Bug 634264

Summary:	sec-policy/selinux-virt does not contains virtlogd type
Product:	Gentoo Linux	Reporter:	Alexander Miroshnichenko <alex>
Component:	SELinux	Assignee:	SE Linux Bugs <selinux>
Status:	CONFIRMED ---
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Alexander Miroshnichenko 2017-10-14 19:18:14 UTC

New versions of libvirt separates log functionality from main code to new virtlogd daemon. The new daemon does not defined in the sec-policy/selinux-virt module policy.

# eselect rc start libvirtd
Starting init script
Authenticating root.
Password: 
 * Caching service dependencies ...                                                                                                                                                                                                     [ ok ]
 * Starting virtlogd ...
2017-10-14 18:32:30.385+0000: 4584: info : libvirt version: 3.6.0
2017-10-14 18:32:30.385+0000: 4584: info : hostname: XXXX
2017-10-14 18:32:30.385+0000: 4584: error : main:972 : Can't load config file: Failed to open file '/etc/libvirt/virtlogd.conf': Permission denied: /etc/libvirt/virtlogd.conf
 * start-stop-daemon: failed to start `/usr/sbin/virtlogd'
 * Failed to start virtlogd                                                                                                                                                                                                             [ !! ]
 * ERROR: virtlogd failed to start
 * ERROR: cannot start libvirtd as virtlogd would not start

# ls -lZ `which virtlogd`  
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 712112 Oct 14 21:27 /usr/sbin/virtlogd

# matchpathcon /usr/sbin/virtlogd
/usr/sbin/virtlogd      system_u:object_r:bin_t:s0

# qlist -ICv sec-policy/selinux-virt
sec-policy/selinux-virt-2.20170204-r4

Last unstable sec-policy/selinux-virt version 2.20170805-r2 still does not contains virtlogd type definition with related resources access.

Comment 1 Jason Zaman gentoo-dev

2017-10-17 03:22:36 UTC

yeah ive got some tentative patches for this but havent gotten around to cleaning them up and merging yet :(

https://github.com/perfinion/hardened-refpolicy/commits/next
It used to work before, im not sure if there have been more changes that need updating. I'll try and clean these up soon.

Comment 2 Alexander Miroshnichenko 2019-02-20 09:27:44 UTC

# seinfo -t virtlogd_t -x 

Types: 1
   type virtlogd_t, domain, daemon;

I can see the type already in policy.
Do you want any else action to do?