Bug 1217470 - SELinux prevents virsh net-start
Summary: SELinux prevents virsh net-start
Status: RESOLVED DUPLICATE of bug 1216903
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-24 08:20 UTC by Felix Niederwanger
Modified: 2023-11-24 08:53 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
avc after the denial happens (10.17 KB, text/plain)
2023-11-24 08:20 UTC, Felix Niederwanger 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Niederwanger 2023-11-24 08:20:56 UTC 
Created attachment 870960 [details]
avc after the denial happens

On the current Tumbleweed 20231122 with SELinux in enforcing mode, starting a libvirt network fails with the permission to iptables being denied:

> # virsh net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules /sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT: libvirt:  error : cannot execute binary /sbin/iptables: Permission denied

The issue could be present for some weeks already.

I'm attaching also the output of `ausearch -ts boot -m avc` as avc.txt
Comment 2 Filippo Bonazzi 2023-11-24 08:39:40 UTC 
Sorry, wrong bug. Duplicate of bug 1216903
Comment 3 Cathy Hu 2023-11-24 08:44:13 UTC 
yes, its a duplicate of 1216903

*** This bug has been marked as a duplicate of bug 1216903 ***
Comment 4 Felix Niederwanger 2023-11-24 08:53:06 UTC 
Yes indeed, thank you!