Bug ID 1216903
Summary SELinux: policy update broke kvm network autostart
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee jsegitz@suse.com
Reporter rfrohl@suse.com
QA Contact qa-bugs@suse.de
CC cathy.hu@suse.com
Target Milestone ---
Found By ---
Blocker --- 

Hi,

since the update to selinux-policy: 20231030 KVM network autostart/interaction
is broken. If one tries to start the network manually in virsh the following
error is observed:

> virsh # net-start default
> error: Failed to start network default
> error: internal error: Failed to apply firewall rules /sbin/iptables -w --table filter --list-rules: libvirt:  error : cannot execute binary /sbin/iptables: Permission denied

with 

> virsh # net-info default
> Name:           default
> UUID:           31f53528-0578-4d70-b510-2f50fcf424f0
> Active:         no
> Persistent:     yes
> Autostart:      yes
> Bridge:         virbr0

As a workaround I am using:

> # setenforce 0
> # virsh net-start default
> # setenforce 1

There is only one detail to be observed: if virsh is run before 'setenforce 0',
then the above does not work until the system is restarted. 

More details: it is not even 'needed' to net-start, any virsh command will
trigger the autostart if 'setenforce 0' was issued.

You are receiving this mail because: