Libvirt + cockpit-machines got blocked/denied permissions by SELinux

[thepragmaticmero]

At least on Fedora 41 (pre-release) I guess it will be fixed soon, IDK. SELinux works in misterious ways.
I have a saying: "The best way to use SELinux is with the sudo setenforce 0 command"
Now SELinux was doing this:

The fix... well: sudo setenforce 0 . Bandaid fix for now. It wil get sorted out later I guess. I lost too much time trying to solve this, so no "proper" command to get libvirt to pass through SELinux

Days since enabled SELinux broke my workflow : 0
For the skeptics: I verified my users+groups, I restarted libvirtd / libvirtdbus, changed .conf files, etc. Nothing. It was SELinux.

[mac2net]

LOL cursing out the beta version is pretty funny

[jelly]

Do you still have the logs of the AVC denial? We did have some SELinux policy regressions in F41 but they all seem to be closed and our CI runs with setenforce enabled.

https://bugzilla.redhat.com/show_bug.cgi?id=2297965

@mac2net please be respectful to users filling issues even though they had a frustrating experience.

[thepragmaticmero]

I updated Fedora Silverblue 41 with rpm-ostree update. And still got the same AVC denial. Looking forward when it actually releases then. For now using setenforce 0 shouldn't hurt.

[jelly]

@thepragmaticmero which selinux-policy version do you have?

[thepragmaticmero]

$ rpm -qa | grep selinux | wl-copy
libselinux-3.7-5.fc41.x86_64
libselinux-utils-3.7-5.fc41.x86_64
python3-libselinux-3.7-5.fc41.x86_64
selinux-policy-41.16-2.fc41.noarch
selinux-policy-targeted-41.16-2.fc41.noarch
container-selinux-2.232.1-2.fc41.noarch
passt-selinux-0^20240906.g6b38f07-1.fc41.noarch
flatpak-selinux-1.15.10-1.fc41.noarch
rpm-plugin-selinux-4.19.92-6.fc41.x86_64
swtpm-selinux-0.9.0-3.fc41.noarch
nbdkit-selinux-1.40.3-1.fc41.noarch
cockpit-selinux-324-1.fc41.noarch

This version selinux-policy-41.16-2.fc41.noarch

[thepragmaticmero]

Rolledback to Fedora 40 Stable using rpm-ostree rebase fedora:fedora/40/x86_64/silverblue and the problem fixed itself. Interesting.

[garrett]

FWIW, there's a new SELinux policy in F41 beta: selinux-policy-41.19-1.fc41.noarch

Changelog after 41.16-2:

* Wed Sep 25 2024 Zdenek Pytela <[email protected]> - 41.19-1
- Add policy for systemd-homed
- Remove fc entry for /usr/bin/pump
- Label /usr/bin/noping and /usr/bin/oping with ping_exec_t
- Allow accountsd read gnome-initial-setup tmp files
- Allow xdm write to gnome-initial-setup fifo files
- Allow rngd read and write generic usb devices
- Allow qatlib search the content of the kernel debugging filesystem
- Allow qatlib connect to systemd-machined over a unix socket

* Wed Sep 18 2024 Petr Lautrbach <[email protected]> - 41.18-1
- Drop ru man pages
- mls/modules.conf - fix typo
- Allow unprivileged user watch /run/systemd
- Allow boothd connect to kernel over a unix socket

* Mon Sep 16 2024 Zdenek Pytela <[email protected]> - 41.17-2
- Relabel /etc/mdevctl.d

* Thu Sep 12 2024 Petr Lautrbach <[email protected]> - 41.17-1
- Clean up and sync securetty_types
- Bring config files from dist-git into the source repo
- Confine gnome-remote-desktop
- Allow virtstoraged execute mount programs in the mount domain
- Make mdevctl_conf_t member of the file_type attribute

It seems to be fixed, possibly from 41.17-1's "Allow virtstoraged execute mount programs in the mount domain".

[GuiltyDoggy]

There's a new bug report that seems to be tracking this:

https://bugzilla.redhat.com/show_bug.cgi?id=2316474

[thepragmaticmero]

Now that Fedora 41 has been released (out of beta), this same bug it's still happening. The band-aid solution keeps being the same sudo setenforce 0.
Tested in:

• Fedora Silverblue 41

Weirdly on Fedora Workstation it works just fine........ huh. I'll dive more into it

Anyone knows how to restore it? restorecon or something like that? I'm kinda lost

[garrett]

FWIW, I've been hitting this again, even though it really seemed fixed in the version I listed above.

Is this Atomic-specific somehow? I've been chatting with @martinpitt in matrix and he says Cockpit tests are fine for Cockpit Machines on Fedora 41.

(There have been a few issues that are specific to Atomic OSTree distros, like a few with grub, which incidentally should be fixed in F41. Atomic versions of Fedora are pretty close to the non-Atomic ones, but aren't fully 1:1.)

[ondrejbudai]

I'm seeing this on Fedora Workstation 41, so it's apparently not atomic-specific. :/

[FlexibleToast]

setenforce 0 is not the only current solution. Just following the SELinux Cockpit module's advice and allowing daemons to enable cluster mode seems to have worked for me. You can leave SELinux enforcing and change this bool: semanage boolean -m --on daemons_enable_cluster_mode