Bug 500218

Summary: (staff_u) SELinux ... lots of AVC denials
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: berrange, clalance, crobinso, dwalsh, itamar, veillard, virt-maint
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-12 03:07:21 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
/var/log/audit/audit.log none

Description Matěj Cepl 2009-05-11 13:42:19 EDT
Description of problem:
Sorry, this is probably not the best bug report, but while running couple of virtual guests (in Permissive mode), I have collected a lot of AVC denials. This is what audit2allow things about the attached audit.log file:

[matej@hubmaier ~]$ egrep 'denied.*(virt|kvm)' audit.log |audit2allow


#============= nsplugin_t ==============
allow nsplugin_t virt_etc_rw_t:file read;

#============= staff_t ==============
allow staff_t logrotate_var_lib_t:file { read open };
allow staff_t virt_etc_rw_t:file { read open };
allow staff_t virt_image_t:file { read open };

#============= virtd_t ==============
allow virtd_t admin_home_t:dir { write remove_name add_name setattr };
allow virtd_t admin_home_t:file { read write open lock };
allow virtd_t admin_home_t:lnk_file { read rename create unlink };
allow virtd_t nsplugin_t:process signull;
allow virtd_t pulseaudio_port_t:tcp_socket name_connect;
allow virtd_t pulseaudio_t:process signull;
allow virtd_t self:unix_dgram_socket sendto;
allow virtd_t staff_t:process signull;
allow virtd_t tmp_t:dir { write create add_name };
allow virtd_t tmpfs_t:dir { read write open add_name remove_name };
allow virtd_t tmpfs_t:file { write getattr read create unlink open };
allow virtd_t tmpfs_t:filesystem getattr;
allow virtd_t user_home_t:dir { write add_name };
allow virtd_t user_home_t:file { write read create };
allow virtd_t user_tmpfs_t:file { read getattr unlink open };
[matej@hubmaier ~]$ 

Version-Release number of selected component (if applicable):
(approximately, they were collected for some time)
libvirt-0.6.2-6.fc11.x86_64
selinux-policy-targeted-3.6.12-28.fc11.noarch
Comment 1 Matěj Cepl 2009-05-11 13:45:41 EDT
Created attachment 343485 [details]
/var/log/audit/audit.log
Comment 2 Daniel Walsh 2009-05-11 14:18:07 EDT
Please update to the correct policy -34.

Also why is qemu not being run in a separate context?  qemu_t should not be running under virtd_t, that is the context of the virt daemon.  Did you tell libvirt to not use SELinux?  Are the files in /usr/bin/qemu* labeled correctly?
Comment 3 Matěj Cepl 2009-05-11 19:17:26 EDT
(In reply to comment #2)
> Please update to the correct policy -34.
> 
> Also why is qemu not being run in a separate context?  qemu_t should not be
> running under virtd_t, that is the context of the virt daemon.
> Are the files in /usr/bin/qemu* labeled correctly?  

COuple of observations from around my system:

[root@viklef ~]# ls -Z /usr/bin/qemu*
-rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu
-rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-img
-rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-kvm
-rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-nbd
-rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/bin/qemu-system-x86_64

This is OK, right?

[root@viklef ~]# rpm -q selinux-policy-targeted
package selinux-policy-targeted is not installed
[root@viklef ~]# 

I have no clue, how I managed to do that (I am quite sure, that I have never removed it intentionally). Actually

[root@viklef ~]# rpm -qa \*selinux\*
libselinux-python-2.0.80-1.fc11.x86_64
selinux-policy-3.6.12-28.fc11.noarch
libselinux-devel-2.0.80-1.fc11.x86_64
libselinux-2.0.80-1.fc11.i586
libselinux-utils-2.0.80-1.fc11.x86_64
libselinux-2.0.80-1.fc11.x86_64

It seems like something is missing. And yet:

[root@viklef ~]# package-cleanup --problems
Setting up yum
Loaded plugins: dellsysidplugin2, fastestmirror, presto, remove-with-leaves
Loading mirror speeds from cached hostfile
Excluding Packages in global exclude list
Finished
Excluding Packages in global exclude list
Finished
Reading local RPM database
Processing all local requires
No problems found

Strange. Moreover, I have got again a duplicate policy.* file:

[root@viklef ~]# ls /etc/selinux/targeted/policy/
policy.23  policy.24

Will install missing selinux-policy-targeted package and let you know.

Also:

> Did you tell libvirt to not use SELinux?

Well, I hope I have only whatever was default with Rawhide:

[root@viklef libvirt]# grep -v ^# /etc/libvirt/qemu.conf |grep -v '^\s*$'
security_driver = "none"
[root@viklef libvirt]#
Comment 4 Matěj Cepl 2009-05-11 19:18:15 EDT
Concernig the release of my policy ... -28 is the latest I get from Rawhide yum upgrades. Isn't there something wrong with releng?
Comment 5 Daniel Walsh 2009-05-11 20:46:41 EDT
34 was just released so it should be in rawhide shortly.  /etc/libvirt/qemu.conf should have security_driver="selinux"

I have no idea what happened to selinux-policy-targeted, unless some rawhide update got screwed up.

You can grab -34 from koji.
Comment 6 Matěj Cepl 2009-05-12 03:07:21 EDT
OK, so let's call this bug PEBKAC and I will file a specific bugs for whatever comes.