Bug 1267217

Summary: selinux denial when adding bridge via monitor command
Product: [Fedora] Fedora Reporter: Dominik Perpeet <dperpeet>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 22CC: amit.shah, berrange, cfergeau, crobinso, dominick.grift, dperpeet, dwalsh, dwmw2, itamar, lvrabec, mgrepl, pbonzini, plautrba, rjones, stefw, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-128.24.fc22 selinux-policy-3.13.1-128.28.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 17:57:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dominik Perpeet 2015-09-29 11:19:18 UTC 
Description of problem:
When running a domain as non-root and adding a bridge via qemu monitor command, selinux prevents successul execution.

Version-Release number of selected component (if applicable):
Name        : qemu-common
Arch        : x86_64
Epoch       : 2
Version     : 2.3.1
Release     : 3.fc22

How reproducible:
Always

Steps to Reproduce:
1. start a domain, e.g. with ID 2
2. virsh -c qemu:///session qemu-monitor-command 2 --hmp 'netdev_add bridge,id=hostnet8'

Actual results:
Device 'bridge' could not be initialized

journal:
audit[24376]: <audit-1400> avc:  denied  { read } for  pid=24376 comm="qemu-bridge-hel" name="urandom" dev="devtmpfs" ino=1033 scontext=unconfined_u:unconfined_r:virt_bridgehelper_t:s0:c4,c652 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0


Expected results:
Successful run. It works with setenforce 0
Comment 1 Cole Robinson 2015-09-29 13:11:48 UTC 
I don't see where in the qemu-bridge-helper code it's using /dev/urandom, but I imagine it should be safe to allow
Comment 2 Lukas Vrabec 2015-09-29 13:19:01 UTC 
Hi, 

Could you attach version of selinux-policy package? 

On my system, I can see:

$ sesearch -A -s virt_bridgehelper_t -t urandom_device_t 
Found 1 semantic av rules:
   allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; 

$ rpm -q selinux-policy
selinux-policy-3.13.1-128.16.fc22.noarch
Comment 3 Dominik Perpeet 2015-09-29 13:57:40 UTC 
My version is slightly older, but seems to have the same rule.

$ sesearch -A -s virt_bridgehelper_t -t urandom_device_t 
Found 1 semantic av rules:
   allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; 

$ rpm -q selinux-policy
selinux-policy-3.13.1-128.13.fc22.noarch

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29
Comment 4 Dominik Perpeet 2015-09-29 15:50:02 UTC 
I got a step further by adding the following rules, but adding the bridge device still fails. Would that be a separate issue then? I wouldn't expect the selinux failures in any case.

module bridge_policy 1.0;

require {
        type urandom_device_t;
        type virt_bridgehelper_t;
        class chr_file { read getattr open };
}

#============= virt_bridgehelper_t ==============

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow virt_bridgehelper_t urandom_device_t:chr_file getattr;

#!!!! This avc is allowed in the current policy
allow virt_bridgehelper_t urandom_device_t:chr_file { read open };
Comment 5 Dominik Perpeet 2015-09-30 12:09:43 UTC 
If I look at the noaudit messages, I find more culprits. Among those is

time->Wed Sep 30 13:12:27 2015
type=AVC msg=audit(1443611547.332:1389): avc:  denied  { read write } for  pid=17613 comm="qemu-bridge-hel" path="socket:[195274]" dev="sockfs" ino=195274 scontext=unconfined_u:unconfined_r:virt_bridgehelper_t:s0:c49,c562 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c49,c562 tclass=unix_stream_socket permissive=0

This combined ruleset lets everything work as expected (bridge added without complaint with setenforce 1):

module cockpit_test_bridge 1.0;

require {
        type urandom_device_t;
        type virt_bridgehelper_t;
        type svirt_t;
        class unix_stream_socket { read write };
        class chr_file { read getattr open };
}

#============= virt_bridgehelper_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow virt_bridgehelper_t svirt_t:unix_stream_socket { read write };

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow virt_bridgehelper_t urandom_device_t:chr_file { read getattr open };
Comment 6 Miroslav Grepl 2015-10-13 07:33:09 UTC 
So you needed to add also

allow virt_bridgehelper_t svirt_t:unix_stream_socket { read write };

rules to make it working?
Comment 7 Dominik Perpeet 2015-10-13 07:58:15 UTC 
Yes, I needed all the rules I listed in the previous post. Feel free to test this with the steps I listed above!
Comment 8 Stef Walter 2015-12-15 13:12:22 UTC 
This makes Cockpit development harder than it should be. Developers end up disabling SELinux in order to run the Cockpit test suite, and then leave it off.

Is there anything else required to get this fixed?
Comment 9 Miroslav Grepl 2016-01-04 19:28:20 UTC 
Added fixes to all Fedoras.

Lukas,
could you please make builds and updates. Thank you.
Comment 10 Fedora Update System 2016-01-18 13:19:49 UTC 
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 11 Fedora Update System 2016-01-20 03:53:09 UTC 
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 12 Fedora Update System 2016-02-15 17:46:31 UTC 
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 13 Fedora Update System 2016-02-17 06:25:58 UTC 
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 14 Fedora Update System 2016-02-18 12:27:21 UTC 
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 15 Fedora Update System 2016-02-21 18:28:55 UTC 
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 16 Fedora Update System 2016-05-10 17:55:40 UTC 
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.