Bugzilla – Bug 1216903
SELinux: policy update broke kvm network autostart
Last modified: 2024-06-06 10:40:23 UTC
Hi, since the update to selinux-policy: 20231030 KVM network autostart/interaction is broken. If one tries to start the network manually in virsh the following error is observed: > virsh # net-start default > error: Failed to start network default > error: internal error: Failed to apply firewall rules /sbin/iptables -w --table filter --list-rules: libvirt: error : cannot execute binary /sbin/iptables: Permission denied with > virsh # net-info default > Name: default > UUID: 31f53528-0578-4d70-b510-2f50fcf424f0 > Active: no > Persistent: yes > Autostart: yes > Bridge: virbr0 As a workaround I am using: > # setenforce 0 > # virsh net-start default > # setenforce 1 There is only one detail to be observed: if virsh is run before 'setenforce 0', then the above does not work until the system is restarted. More details: it is not even 'needed' to net-start, any virsh command will trigger the autostart if 'setenforce 0' was issued.
not 100% sure if the policy is at vault or something changed while the policy was updated. Issue was observed before the newest libvirt release (i.e. 20231103 -> libvirt 9.9.0)
community spotted the issue first: https://forums.opensuse.org/t/latest-update-in-microos-results-in-kvm-failure-to-start-network/170280
Seems to be multiple issues on top of each other. The first seems to have to do with the io_uring changes introduced in kernel.if. Then there seem to be some changes introduced in the virt policy module refactoring (https://github.com/fedora-selinux/selinux-policy/pull/1754). Being new it could be that there are some teething issues upstream as well, or it could be that they are specific to our environment.
The io_uring issue has been reported and is being worked on upstream: https://bugzilla.redhat.com/show_bug.cgi?id=2245233
if it helps, restarting associated services, and then restarting manually the networks (libvirt ones) is another workaround... I guess that won't scale on production systems though :)
*** Bug 1216870 has been marked as a duplicate of this bug. ***
*** Bug 1217470 has been marked as a duplicate of this bug. ***
Update to factory is in the queue: https://build.opensuse.org/request/show/1128521 Changes are already in the staging project, in case it is super urgent you can test it with that one: https://build.opensuse.org/package/show/security:SELinux/selinux-policy
Fix is upstream, please reopen if you still encounter the issue. Thanks!
sorry, s/upstream/in factory
Thanks a lot Cathy! works on my affected servers machine now!...
just a heads up, I am currently reworking the fix. it is in security:SELinux in case someone wants to test it, will submit to factory this week. please let me know in case anything breaks (i tested locally, but for all eventualities :))
This is an autogenerated message for OBS integration: This bug (1216903) was mentioned in https://build.opensuse.org/request/show/1157662 Factory / selinux-policy