Bug 478734
Summary: | selinux blocks kvm network configuration script (e.g. /etc/qemu-ifup) | ||
---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | Pierre Ossman <pierre-bugzilla> |
Component: | libvirt | Assignee: | Daniel Veillard <veillard> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | berrange, clalance, crobinso, dwmw2, markmc, mgrepl, veillard, virt-maint, xen-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-07-12 17:25:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pierre Ossman
2009-01-04 12:15:06 UTC
/dev/mapper/system-fiat needs to be labeled virt_image_t # semanage fcontext -a -t virt_image_t /dev/mapper/system-fiat # restorecon /dev/mapper/system-fiat Should fix this. Daniel, this is what I was talking about using the qemu both for setup and the actual running of the qemu leads to excessive privs required for qemu. If we ever hope to confine what a qemu process is doing, we need to separate out the setup from the running of the guest OS. So we need to processes run. libvirt_t->qemu_setup_t->qemu_t Running one process that sets up the guest os and then running the guest os, will force us to allow the guest os process the ability to manipulate the hosts networking. So if someone breaks out of the guest os, he will be able to change the network on the host machine. Ahhhh, I understand what you mean now. So 'qemu' would start with 'qemu_setup_t' domain, and then 'drop privileges' by transitioning to the 'qemu_t'. The hard thing here is that you can hot-plug lots of virtual hardware, adding/removing NICs and Disks on the fly. Many deployment scenarios won't care about hotplug though, so we could certainly restrict them. NB for networking the normal case libvirtd will do the networking setup, passing QEMU a pre-opened & configured TAP device FD. Running shell scripts for setting up networking is only for when QEMU is launched outside context of libvirt. (In reply to comment #2) > /dev/mapper/system-fiat needs to be labeled virt_image_t > > # semanage fcontext -a -t virt_image_t /dev/mapper/system-fiat > # restorecon /dev/mapper/system-fiat > > Should fix this. I'll give that a try. Oddly enough though, there were three other guests started after this with the same context for the storage, yet only this first one generated avc messages. Is there some filtering going on in the audit output? (In reply to comment #4) > NB for networking the normal case libvirtd will do the networking setup, > passing QEMU a pre-opened & configured TAP device FD. Running shell scripts for > setting up networking is only for when QEMU is launched outside context of > libvirt. No, not only. In my case I use libvirt and a <script/> addition in the <interface/>. I do this to get a routed guest, something that libvirt isn't supporting directly. There's a lot to be said for having qemu/kvm/etc networking set up in _advance_ by the standard network scripts, using persistent tun devices. Then all qemu would have to do would be to open it and send packets; no actual configuration (even in libvirtd). Any news here? dwalsh: the problem here appears to be the use of a script to configure the tap interface e.g. <interface type='ethernet'> <target dev='vnet7'/> <script path='/etc/qemu-ifup-mynet'/> </interface> pierre: could you attach your domain's XML configuration and the network script? IMHO, it is simply not practical to support SELinux enforcing mode when using type='ethernet'. The config will be executing arbitrary shell scripts and as such we have no way of knowing what the user will want to be able todo in these scripts. In addition allowing the running of arbitrary network commands from these scripts will compromise the security of all other QEMU configs, by allowing QEMU to execute ifcfg / ip commands that it should not ordinarily be allowed todo. The most practical option here is to determine how to support the desired network config directly in libvirtd, avoiding the need to run a guest with type='ethernet' config, and avoiding need for QEMU to be given ability to run arbitrary networking commands. Fair enough - moving to upstream libvirt pierre: given danpb's comment, we need information on your configuration so that we can try and support this in libvirt without the need for a qemu-ifup script My desires are fairly simple. I want my machines to be routed via the host, not bridged or any libvirt specific magic. My script is nothing special, only that it computes the IP configuration based on the if name (to keep things simple). It is acceptable to have to enter the host side configuration for each guest in a generic solution though. Example of one network configuration: <interface type='ethernet'> <mac address='00:16:3e:00:00:02'/> <script path='/etc/libvirt/qemu/ifup'/> <target dev='virt11'/> <model type='virtio'/> </interface> The "ifup" script: #!/bin/bash if ! echo $1 | grep "^virt[0-9]\+$" > /dev/null; then exit fi NUM=`echo $1 | sed 's%virt\([0-9]\+\)%\1%'` IPADDR=10.8.3.$[ $NUM * 8 + 1 ] NETMASK=255.255.255.248 ifconfig $1 $IPADDR netmask $NETMASK Has anyone had a chance to look at this? It is now worse than before - QEMU now runs unprivileged, so network scripts have non of the capabilities required to configure networking http://www.redhat.com/archives/libvir-list/2009-November/msg00336.html Well thanks for that. Is anyone working on a solution that will support routed guests? Ping! Any comments? You can't really go and remove a common use case like that without providing any alternatives. In 0.8.2, /etc/libvirt/qemu.conf allows you to run with VMs with full capabilities clear_emulator_capabilities = 0 user = "root" group = "root" This is of course horribly insecure, but that's only option for direct use of qemu's ifup scripts. |