Libvirt network hook execution blocked by selinux

At some point during the last few Fedora releases, my libvirt stopped being able to run a hook script by selinux:

root@strago:/etc/libvirt/hooks# virsh net-start default || journalctl -e -g avc --lines 1 | audit2why 
error: Failed to start network default
error: Hook script execution failed: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin USER=root /etc/libvirt/hooks/network default start begin -) unexpected exit status 126: libvirt:  error : cannot execute binary /etc/libvirt/hooks/network: Permission denied


Nov 14 07:57:43 strago.narshe audit[113078]: AVC avc:  denied  { execute } for  pid=113078 comm="rpc-virtnetwork" name="network" dev="dm-0" ino=2491327 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_hook_t:s0 tclass=file permissive=0

	Was caused by:
	The boolean virt_hooks_unconfined was set incorrectly. 
	Description:
	Allow virt to hooks unconfined

	Allow access by executing:
	# setsebool -P virt_hooks_unconfined 1
root@strago:/etc/libvirt/hooks# ll -aZ
total 12
drwx------. 2 root root system_u:object_r:virt_hook_t:s0 4096 Oct 29 13:28 .
drwx------. 7 root root system_u:object_r:virt_etc_t:s0  4096 Oct 23 20:30 ..
-rwx------. 1 root root system_u:object_r:virt_hook_t:s0  914 Oct 29 13:28 network

The way I’ve been working around this is by setenforce 0, starting the network, then setenforce 1 immediately afterwards. Needless to say, this does not survive reboots. I’ve also tried restorecon on the hook script and its parent dir without success.

Is it possible to get this working without applying a custom selinux policy? If not, what are the implications of allowing unconfined hooks?

As suggested: run

setsebool -P virt_hooks_unconfined 1

It may need sudo.

1 Like

I know there are ways to force selinux to allow the unconfined scripts (I used setsebool to start it today) but I’m trying to understand what the implications are of tearing down Chesterton’s fence before I just settle on that as the way forward.

Thanks anyway!

Without that boolean, you can’t run the hook scripts. Simple as that. Without the hook scripts, you don’t need that boolean.

To really understand SELinux rules takes a lot of time studying, possible months if not years of studying.

1 Like

It often helps to know how to use available tools:


# echo 'Nov 14 07:57:43 strago.narshe audit[113078]: AVC avc:  denied  { execute } for  pid=113078 comm="rpc-virtnetwork" name="network" dev="dm-0" ino=2491327 scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virt_hook_t:s0 tclass=file permissive=0' | audit2allow


#============= virtnetworkd_t ==============

#!!!! This avc can be allowed using the boolean 'virt_hooks_unconfined'
allow virtnetworkd_t virt_hook_t:file execute;

Unfortunately, the other possible helpful tool, setroubleshoot, gives rather a cryptic message

The boolean virt_hooks_unconfined was set incorrectly.