Bug 437802
Summary: | libvirt daemon needs to be able to run lokkit | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Berrangé <berrange> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED DUPLICATE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | dkelson, nalin |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-06-11 14:48:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daniel Berrangé
2008-03-17 14:39:17 UTC
Seems like it is going to need more then this if it is actually going to modify iptables? Rules added in selinux-policy-3.3.21.fc9 Well, those are the only AVC messages I got when i switched to 'permissive' mode. I'll test the new policy & report back if further rules are needed. Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping I'm using F9 with all errata applied (ie, selinux-policy-3.3.1-55.fc9.noarch) and I'm still having this problem. host=mentorng.gurulabs.com type=AVC msg=audit(1213079217.414:67): avc: denied { write } for pid=12992 comm="lokkit" name="iptables" dev=dm-3 ino=199343 scontext=system_u:system_r:virtd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file host=mentorng.gurulabs.com type=SYSCALL msg=audit(1213079217.414:67): arch=c000003e syscall=2 success=no exit=-13 a0=1bb3300 a1=241 a2=1b6 a3=7fef3cee86f0 items=0 ppid=2689 pid=12992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lokkit" exe="/usr/bin/python" subj=system_u:system_r:virtd_t:s0 key=(null) After running in permissive mode, audit2allow suggests: #============= virtd_t ============== allow virtd_t admin_home_t:dir read; allow virtd_t etc_t:file { write setattr }; allow virtd_t modules_dep_t:file getattr; allow virtd_t modules_object_t:dir read; allow virtd_t modules_object_t:lnk_file read; allow virtd_t src_t:dir read; # ls -alZ /etc/sysconfig/iptables -rw------- root root system_u:object_r:etc_t:s0 /etc/sysconfig/iptables I am not sure this is a great idea. From a security point of view to allow the virtd daemon to change the iptables rules on the host system? Libvirt needs to provide various forms of connectivity to guest VMs. One form is an isolated network, which is a bridge device to which guest TAP devices are attached, but which has no physical NIC attached. We need to add iptables rules to stop traffic being forwarded out of the bridge. The other form is a NAT based network, which again consists of a bridge device with guests attached. We then add iptables rules to allow outbound traffic to the LAN, using masquerading for traffic. Unfortunately I don't see any alternative way to provide this functionality which would allow for more fine grained security policy - lokkit is pretty much an all or nothing tool, since it is soo general purpose. On further investigation I think use of lokkit in libvirt should be removed entirely. It is crazy to require the entire python stack, merely in order to write a single plain text file. In addition lokkit does soooo many things we don't need in libvirt - we don't want to have to allow access to such a broad range of functionality in the selinux policy. I think it'll be preferrable to just write the config file directly, and then we only need allow access to a single file in the policy |