Bug 496867

Summary: SELinux issue causing libvirtd launched dnsmasq to fail
Product: Red Hat Enterprise Linux 5 Reporter: Alan Pevec <apevec>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: ajia, atodorov, berrange, clalance, crobinso, dwalsh, jkubin, mgrepl, mmalik, ohudlick, veillard
Target Milestone: alpha   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 484199 Environment:
Last Closed: 2009-09-02 07:58:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Pevec 2009-04-21 14:04:39 UTC 
libvirt is rebased in RHEL5.4, so need this fix in the RHEL5 selinux-policy

+++ This bug was initially created as a clone of Bug #484199 +++

This is rawhide with:

  libvirt-0.6.0-1.fc11.x86_64
  selinux-policy-3.6.3-12.fc11.noarch

default network isn't running after boot, trying to manually start it:

# virsh net-start default
libvir: error : internal error '/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file=  --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254' exited with non-zero status 3 and signal 0: 
dnsmasq: failed to open pidfile /var/run/libvirt/network/default.pid: Permission denied
error: Failed to start network default

AVC denied:

type=AVC msg=audit(1233834788.296:56): avc:  denied  { search } for  pid=4016 comm="dnsmasq" name="libvirt" dev=dm-0 ino=1810670 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

Trying again in permissive mode, it starts but with these additional AVCs:

type=AVC msg=audit(1233835237.160:58): avc:  denied  { search } for  pid=4060 comm="dnsmasq" name="libvirt" dev=dm-0 ino=1810670 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1233835237.160:58): avc:  denied  { write } for  pid=4060 comm="dnsmasq" name="network" dev=dm-0 ino=1927185 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1233835237.160:58): avc:  denied  { add_name } for  pid=4060 comm="dnsmasq" name="default.pid" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1233835237.160:58): avc:  denied  { create } for  pid=4060 comm="dnsmasq" name="default.pid" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1233835237.160:58): avc:  denied  { write open } for  pid=4060 comm="dnsmasq" name="default.pid" dev=dm-0 ino=548891 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1233835237.197:59): avc:  denied  { getattr } for  pid=4060 comm="dnsmasq" path="/var/run/libvirt/network/default.pid" dev=dm-0 ino=548891 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file

--- Additional comment from markmc on 2009-02-05 07:35:41 EDT ---

Just tried 0.6.0 from update-testing on F10 and confirmed it has the same issue

--- Additional comment from berrange on 2009-02-05 07:44:12 EDT ---

This is probably caused by the change in the way we launch DNSMASQ in libvirt 0.6.0

We now let it daemonize itself, and write out a PIDfile.

Specifically

  --pidfile /var/run/libvirt/network/$NMAE.pid

So we likely need to add  /var/run/libvirt/network to the SELinux policy for DNSMASQ to be able to write to

--- Additional comment from markmc on 2009-02-06 03:25:15 EDT ---

*** Bug 484292 has been marked as a duplicate of this bug. ***

--- Additional comment from berrange on 2009-02-06 05:36:39 EDT ---

Changing to SELinux policy component, since I reckon we just need to add the dir i mention in comment #2

--- Additional comment from markmc on 2009-02-06 05:52:48 EDT ---

dwalsh: note, this is filed against rawhide but exists in F9 and F10 updates-testing too

--- Additional comment from dwalsh on 2009-02-06 11:38:22 EDT ---

Miroslav, Just add 

virt_manage_pid_files(dnsmasq_t) for F9 and F10.

Can you add /var/run/libvirt/network to the libvirt spec file and then we can label it as such only dnsmasq can write to it.

--- Additional comment from dwalsh on 2009-02-06 11:40:09 EDT ---

I can then add /var/run/libvirt/network(/.*)? 	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)

--- Additional comment from berrange on 2009-02-06 14:16:02 EDT ---

One step ahead of you about the having the directory in libvirt RPM ! We have added it to the 0.6.0-1 RPM in Fedora

# rpm -qf /var/run/libvirt/network/
libvirt-0.6.0-1.fc10.x86_64

--- Additional comment from markmc on 2009-02-13 13:17:22 EDT ---

Also fixed by selinux-policy-3.5.13-45.fc10, right ?

--- Additional comment from mgrepl on 2009-02-16 04:29:25 EDT ---

Yes, it is.
Comment 1 Daniel Walsh 2009-04-21 14:34:43 UTC 
Fixed in selinux-policy-2.4.6-226.el5
Comment 2 Alan Pevec 2009-04-21 14:47:03 UTC 
> Can you add /var/run/libvirt/network to the libvirt spec file

# rpm -q libvirt
libvirt-0.6.2-1.el5.x86_64
# rpm -qf /var/run/libvirt/network/
file /var/run/libvirt/network is not owned by any package

This is in Fedora but not in RHEL5 spec:
%dir %{_localstatedir}/run/libvirt/network/
Comment 4 Daniel Veillard 2009-04-22 09:45:15 UTC 
w.r.t. #2 I will add this when I push libvirt 0.6.3 on Friday,
thanks for the heads-up !

Daniel
Comment 7 Daniel Veillard 2009-04-24 17:20:48 UTC 
libvirt-0.6.3-1.el5 has been built into dist-5E-qu-candidate
and should fix the issue:

shell:/mnt/redhat/brewroot/packages/libvirt/0.6.3/1.el5 -> rpm -qlp ./x86_64/libvirt-0.6.3-1.el5.x86_64.rpm | grep run/libvirt/network
/var/run/libvirt/network
shell:/mnt/redhat/brewroot/packages/libvirt/0.6.3/1.el5 -> 

Daniel
Comment 8 Alexander Todorov 2009-05-08 12:51:03 UTC 
Hi,
with selinux-policy-2.4.6-229.el5

# rpm -qf /var/run/libvirt/network/
libvirt-0.6.3-2.el5

I still see this issue:

avc:  denied  { search } for  pid=20643 comm="dnsmasq" name="libvirt" dev=dm-0 ino=21856268 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1241787018.083:43): arch=40000003 syscall=5 success=no exit=-13 a0=94438a8 a1=8241 a2=1b6 a3=9448878 items=0 ppid=20642 pid=20643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null)


I'm running virt-manager in GUI mode.
Comment 9 Daniel Walsh 2009-05-08 13:20:56 UTC 
Fixed in selinux-policy-2.4.6-232.el5
Comment 14 errata-xmlrpc 2009-09-02 07:58:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html