SELinux is preventing virtlogd from write accesses on the fifo_file /run/systemd/inhibit/36.ref

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7
  • selinux-policy-3.13.1-192.el7_5.3
  • libvirt-daemon-3.9.0-14.el7_5.5

Issue

  • SELinux is preventing virtlogd from write accesses on the fifo_file /run/systemd/inhibit/36.ref
  • starting virtual machines fails after the upgrade of the libvirt-daemon package

Resolution

Update to selinux-policy-3.13.1-192.el7_5.6 released with Advisory RHBA-2018:2451 or newer.

Root Cause

In the selinux-policy package up to version 3.13.1-192.el7_5.3, the communication
between virtlogd and systemd-logind processes via D-bus messages and utilizing the systemd-inhibit mechanism were denied. As a consequence, starting of virtual machines was not successful.

There was a bug tracked by bugzilla 1593740 targeted for release with RHEL 7.6 GA, the updated selinux-policy package allows the communication between virtlogd and systemd-logind processes.

Advisory RHBA-2018:2451 was released for 7.5.Z Stream.

Diagnostic Steps

  # ausearch -i -if var/log/audit/audit.log -m avc
----
type=PROCTITLE msg=audit(15.6.2018 22:51:07.642:725) : proctitle=/usr/sbin/virtlogd 
type=SYSCALL msg=audit(15.6.2018 22:51:07.642:725) : arch=x86_64 syscall=recvmsg success=yes exit=76 a0=0xb a1=0x7ffd28398680 a2=MSG_CMSG_CLOEXEC a3=0x7ffd28398220 items=0 ppid=1 pid=13524 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(15.6.2018 22:51:07.642:725) : avc:  denied  { write } for  pid=13524 comm=virtlogd path=/run/systemd/inhibit/6.ref dev="tmpfs" ino=42923 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_inhibit_var_run_t:s0 tclass=fifo_file 
----

These workarounds are available:

  # cat << EOF > local_virtlogd.te
module local_virtlogd 1.0;
require {
    type virtlogd_t;
    type systemd_logind_inhibit_var_run_t;
        class fifo_file write;
}

#============= chronyc_t ==============
allow virtlogd_t systemd_logind_inhibit_var_run_t:fifo_file { write };
EOF

# make -f /usr/share/selinux/devel/Makefile local_virtlogd.pp
# semodule -i local_virtlogd.pp

The selinux-policy-devel package is required to build a custom module. This approach will add only the permissions which were requested and denied, but some additional ones may be required later.

  • Make the chronyc_t domain permissive:
  # semanage permissive -a chronyc_t

This change will grant almost all possible permissions to the chronyc_t domain.

  • Turn on the daemons_use_tty boolean:
  # semanage boolean --on daemons_use_tty

This approach adds about 16 groups of permissions to various daemons domains, including chronyc_t although this is a domain for a process created off a cli command.

Once the root cause is found and the proper fix is delivered, each of the workarounds needs to be undone.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.