Bug 355661

Summary: dnsmasq accesses /var/lib/libvirt
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:20:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ulrich Drepper 2007-10-28 06:00:50 UTC 
Description of problem:
The selinux policy does not allow access to /var/lib/libvirt which has the label
virt_var_lib_t.  I don't see a reason why this directory is accessed.  For this
reason I file the bug for dnsmasq and not selinux-policy.  Should there be a
real reason move the file to selinux-policy.

Version-Release number of selected component (if applicable):
dnsmasq-2.40-1.fc8.x86_64

How reproducible:
I cannot say...

Steps to Reproduce:
1.
2.
3.
  
Actual results:
AVC below

Expected results:
No AVC

Additional info:
Summary
    SELinux is preventing dnsmasq (dnsmasq_t) "write" to <Unknown>
    (virt_var_lib_t).

Detailed Description
    SELinux denied access requested by dnsmasq. It is not expected that this
    access is required by dnsmasq and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:dnsmasq_t:s0
Target Context                system_u:object_r:virt_var_lib_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-24.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     x61.akkadia.org
Platform                      Linux x61.akkadia.org 2.6.23.1-23.fc8 #1 SMP Wed
                              Oct 17 18:14:46 EDT 2007 x86_64 x86_64
Alert Count                   10
First Seen                    Tue 16 Oct 2007 03:52:31 AM PDT
Last Seen                     Sat 20 Oct 2007 07:48:35 PM PDT
Local ID                      b3fa5b7c-8aaa-4177-b58e-0e06bf8bf2f4
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=dnsmasq dev=sda5 name=libvirt pid=2287
scontext=system_u:system_r:dnsmasq_t:s0 tclass=dir
tcontext=system_u:object_r:virt_var_lib_t:s0
Comment 1 Jima 2007-10-28 14:04:32 UTC 
While I could be totally mistaken, I suspect libvirt is configuring your dnsmasq
instance to make use of that directory.  Nothing in dnsmasq source (or our CVS
for it) even refers to that directory, or libvirt at all.  However, libvirt
makes use of dnsmasq for DHCP services on an internal virtual network (from my
understanding).  I believe the bug should either be with libvirt or selinux-policy.

In summary, I have no way of knowing how "downstream" packages (like libvirt)
are going to configure dnsmasq, and shouldn't be responsible for giving them
access to things I have no business accessing. :-)
Comment 2 Ulrich Drepper 2007-10-28 16:30:43 UTC 
You're right.  I didn't expect there to be anything like this since I didn't
configure or use libvirt at all on his machine.  Nevertheless, there it is, this
process is running:

/usr/sbin/dnsmasq --keep-in-foreground --strict-order --bind-interfaces
--pid-file  --conf-file  --listen-address 192.168.122.1 --except-interface lo
--dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases --dhcp-range
192.168.122.2,192.168.122.254

So, Dan, does the policy allow the lease file to be written?  The
/var/lib/libvirt directory seems to be correctly labelled:

# ll -Zd /var/lib/libvirt
drwxr-xr-x  root root system_u:object_r:virt_var_lib_t:s0 /var/lib/libvirt
Comment 3 Daniel Walsh 2007-10-30 03:40:50 UTC 
This should be fixed in selinux-policy-3.0.8-38
Comment 4 Daniel Walsh 2008-01-30 19:20:56 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.