Bug 1017689

Summary: /usr/libexec/qemu-bridge-helper permissions should be 4755
Product: Red Hat Enterprise Linux 7 Reporter: Paolo Bonzini <pbonzini>
Component: qemu-kvmAssignee: Miroslav Rezanina <mrezanin>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: acathrow, juzhang, pbonzini, qiguo, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-1.5.3-17.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:58:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 884569    

Description Paolo Bonzini 2013-10-10 10:46:50 UTC 
/usr/libexec/qemu-bridge-helper needs capabilities to set up a bridge.

Libvirt was changed in version 1.0.5 to not use the helper when running in system mode (commit 2d80fbb, qemu: launch bridge helper from libvirtd, 2013-04-20).  System mode is the only mode that matters for common criteria certifications.
Comment 2 Miroslav Rezanina 2013-11-07 15:55:47 UTC 
Fix included in qemu-kvm-1.5.3-17.el7
Comment 4 Qian Guo 2013-12-17 07:23:41 UTC 
Hi, Paolo

I checked with qemu-kvm-1.5.3-21.el7.x86_64 , that the qemu-bridge-helper's permission is 4755:
# stat /usr/libexec/qemu-bridge-helper 
  File: ‘/usr/libexec/qemu-bridge-helper’
  Size: 15336     	Blocks: 32         IO Block: 4096   regular file
Device: fd00h/64768d	Inode: 1403635     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:virt_bridgehelper_exec_t:s0
Access: 2013-12-17 03:43:49.840111230 +0800
Modify: 2013-12-03 13:40:16.000000000 +0800
Change: 2013-12-13 15:25:37.942931532 +0800
 Birth: -


But I found the permission of build before qemu-kvm-1.5.3-17.el7 (I used qemu-kvm-1.5.1-2.el7.x86_64) is 4755 too, so I am not sure if this bug is verified by this way.

(In reply to Paolo Bonzini from comment #0)
> /usr/libexec/qemu-bridge-helper needs capabilities to set up a bridge.
>
Test with both qemu-kvm build, since the permission is 4755 for both, I can boot guest using the tap that set up by the bridge-helper via unprivilege user:

Steps:
1.Check the existing bridge:
$ brctl show
bridge name	bridge id		STP enabled	interfaces
switch		0080.24be0518809b	no		em1

2.Confirm the qemu-bridge-helper acl that permit the switch :
$ cat /etc/qemu-kvm/bridge.conf 
allow virbr0
allow switch

3.Launch qemu with network by this helper
$ /usr/libexec/qemu-kvm -net bridge,br=switch -monitor stdio

qemu) info network
hub 0
 \ bridge.0: index=0,type=tap,helper=/usr/libexec/qemu-bridge-helper,br=switch

4.Check the interfaces 
$ brctl show
bridge name	bridge id		STP enabled	interfaces
switch		0080.24be0518809b	no		em1
							tap0

Paolo, can we verify this bug according to above ?

thanks,
qiguo
Comment 5 Paolo Bonzini 2013-12-17 16:38:44 UTC 
Yes, thanks!
Comment 6 Qian Guo 2013-12-20 02:26:30 UTC 
According to comment #4 and comment #5 , this bug can be verified by qemu-kvm-1.5.3-21.el7.x86_64 .
Comment 8 Ludek Smid 2014-06-13 09:58:02 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.