At some point during the last few Fedora releases, my libvirt stopped being able to run a hook script by selinux:
root@strago:/etc/libvirt/hooks# virsh net-start default || journalctl -e -g avc --lines 1 | audit2why
error: Failed to start network default
error: Hook script execution failed: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin USER=root /etc/libvirt/hooks/network default start begin -) unexpected exit status 126: libvirt: error : cannot execute binary /etc/libvirt/hooks/network: Permission denied
Nov 14 07:57:43 strago.narshe audit[113078]: AVC avc: denied { execute } for pid=113078 comm="rpc-virtnetwork" name="network" dev="dm-0" ino=2491327 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_hook_t:s0 tclass=file permissive=0
Was caused by:
The boolean virt_hooks_unconfined was set incorrectly.
Description:
Allow virt to hooks unconfined
Allow access by executing:
# setsebool -P virt_hooks_unconfined 1
root@strago:/etc/libvirt/hooks# ll -aZ
total 12
drwx------. 2 root root system_u:object_r:virt_hook_t:s0 4096 Oct 29 13:28 .
drwx------. 7 root root system_u:object_r:virt_etc_t:s0 4096 Oct 23 20:30 ..
-rwx------. 1 root root system_u:object_r:virt_hook_t:s0 914 Oct 29 13:28 network
The way I’ve been working around this is by setenforce 0
, starting the network, then setenforce 1
immediately afterwards. Needless to say, this does not survive reboots. I’ve also tried restorecon
on the hook script and its parent dir without success.
Is it possible to get this working without applying a custom selinux policy? If not, what are the implications of allowing unconfined hooks?