Bug 477187

Summary: selinux policy requires ISO images to be virt_image_t
Product: [Fedora] Fedora Reporter: Jeff Bastian <jbastian>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 10CC: berrange, clalance, crobinso, stijn, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-04 11:08:14 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jeff Bastian 2008-12-19 10:09:57 EST 
Description of problem:
I'm trying to create a KVM virtual machine under Fedora 10.  I'm using virt-manager.  I pointed it an ISO image of RHEL 5.1, and when the install tried to start, SELinux blocked it, and setroubleshooter told me that the ISO image needs to be virt_image_t.

Obviously, the ISO file is not the virtual machine disk image, so it shouldn't matter what type ths ISO file is.  It's currently default_t:

$ ls -Z RHEL5.1-Client-20071017.0-x86_64-DVD.iso
-rw-r--r--  jbastian jbastian system_u:object_r:default_t:s0   RHEL5.1-Client-20071017.0-x86_64-DVD.iso

/var/log/messages contains
Dec 19 08:45:44 tarantula setroubleshoot: SELinux is preventing qemu (qemu-kvm)"read" to ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso (default_t). For complete SELinux messages. run sealert -l 69452186-cf86-4caf-b372-3ffb4e250c0b          

Full sealert text is below.

I ran
  chcon -t virt_image_t RHEL5.1-Client-20071017.0-x86_64-DVD.iso
and that allowed me to proceed.


Version-Release number of selected component (if applicable):
kvm-74-6.fc10.x86_64
selinux-policy-3.5.13-34.fc10.noarch
selinux-policy-targeted-3.5.13-34.fc10.noarch
virt-manager-0.6.0-5.fc10.x86_64


How reproducible:
Every time

Steps to Reproduce:
1. Try to create a virtual machine
2. Point virt-manager at an ISO file for the installation source
  
Actual results:
SELinux prevents the install from happening.

Expected results:
Install can use the ISO file with default_t or any other type, e.g., user_home_t if the ISO is in my home dir.


Additional info:

$ sudo sealert -l 69452186-cf86-4caf-b372-3ffb4e250c0b                        
Summary:                                                                        

SELinux is preventing qemu (qemu-kvm) "read" to ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso (default_t).

Detailed Description:

SELinux denied qemu access to ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso. If
this is a virtualization image, it has to have a file context label of      
virt_image_t. The system is setup to label image files in                   
directory./var/lib/libvirt/images correctly. We recommend that you copy your
image file to /var/lib/libvirt/images. If you really want to have your qemu 
image files in the current directory, you can relabel                       
./RHEL5.1-Client-20071017.0-x86_64-DVD.iso to be virt_image_t using chcon. You
also need to execute semanage fcontext -a -t virt_image_t                     
'./RHEL5.1-Client-20071017.0-x86_64-DVD.iso' to add this new path to the system
defaults. If you did not intend to use                                         
./RHEL5.1-Client-20071017.0-x86_64-DVD.iso as a qemu image it could indicate   
either a bug or an intrusion attempt.                                          

Allowing Access:

You can alter the file context by executing chcon -t virt_image_t
'./RHEL5.1-Client-20071017.0-x86_64-DVD.iso' You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t virt_image_t
'./RHEL5.1-Client-20071017.0-x86_64-DVD.iso'"

Fix Command:

chcon -t virt_image_t './RHEL5.1-Client-20071017.0-x86_64-DVD.iso'

Additional Information:

Source Context                system_u:system_r:qemu_t:s0
Target Context                system_u:object_r:default_t:s0
Target Objects                ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          tarantula.localdomain
Source RPM Packages           kvm-74-6.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   qemu_file_image
Host Name                     tarantula.localdomain
Platform                      Linux tarantula.localdomain
                              2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35
                              EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri Dec 19 08:45:44 2008
Last Seen                     Fri Dec 19 08:45:44 2008
Local ID                      69452186-cf86-4caf-b372-3ffb4e250c0b
Line Numbers

Raw Audit Messages

node=tarantula.localdomain type=AVC msg=audit(1229697944.194:176): avc:  denied { read } for  pid=3906 comm="qemu-kvm" name="RHEL5.1-Client-20071017.0-x86_64-DVD.iso" dev=dm-1 ino=3154201 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file

node=tarantula.localdomain type=SYSCALL msg=audit(1229697944.194:176): arch=c000003e syscall=2 success=no exit=-13 a0=7fffa2b01310 a1=0 a2=1a4 a3=30a276da70 items=0 ppid=2629 pid=3906 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-12-19 11:56:20 EST 
We need a way to separate the installation of a image from the actual running of an image.

The problem right now when libvirtd runs an install it call qemu to do the install.  It also calls qemu when it runs an image.  Since we want to lock down the running of an image we need to change this behaviour some how.

A couple of choices to fix this.  

Execute an intemediary script or program to do the install.

libvirtd->virtd_install.sh-> qemu

Then I could label virtd_install.sh as virt_install_t and not transition to qemu_t when doing an install.

Another thing we could do is have libvirtd call (pseudo code)

con = getcon()
setexeccon(con)
exec(qemu) for install
setexeccon(NULL)

Which would stop the transition from happening on an install.
Comment 2 Stijn Hoop 2009-02-16 10:55:21 EST 
Seeing this as well. Are you sure this is only a problem during install? I might want to "insert" a different CD (a.k.a. connect a different .iso file) while running a VM, let's say the next Fedora installation DVD I've just downloaded as a normal user over the internet?
Comment 3 Daniel Berrange 2009-08-04 11:08:14 EDT 
In Fedora 11  we introduced more advanced SELinux support into libvirt, known as 'sVirt'. With this, libvirtd will automatically relabel ISO images & diskl images to virt_image_t when required.  This new code is too invasive to consider backporting to Fedora 10, so I'm closing this WONTFIX.