Bug 517617

Summary: libvirt/netcf loads modprobe.conf and others - AVC messages (preventing libvirtd (virtd_t) "getattr" modules_conf_t)
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: rawhideCC: berrange, clalance, crobinso, dwalsh, eparis, itamar, jkubin, laine, lutter, markmc, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-16 17:45:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 498969    

Description Tim Waugh 2009-08-15 08:48:26 UTC 
Description of problem:

node=worm.elk type=AVC msg=audit(1250325731.752:31303): avc: denied { getattr } for pid=1530 comm="libvirtd" path="/etc/modprobe.conf" dev=dm-1 ino=79504 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file

node=worm.elk type=SYSCALL msg=audit(1250325731.752:31303): arch=c000003e syscall=5 success=yes exit=0 a0=e a1=7f642128c760 a2=7f642128c760 a3=2001 items=0 ppid=1 pid=1530 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) 

Version-Release number of selected component (if applicable):
libvirt-0.7.0-4.fc12.x86_64
selinux-policy-targeted-3.6.26-11.fc12.noarch

How reproducible:
Not sure

Steps to Reproduce:
1.I just started virt-manager and completed the PolicyKit dialog
Comment 1 Tim Waugh 2009-08-15 08:54:09 UTC 
This seems to happen when connecting to libvirtd for the first time after it's been started.
Comment 2 Mark McLoughlin 2009-08-19 08:30:35 UTC 
I couldn't reproduce this at first because I had no modprobe.conf

It turns out this is netcf loading these files using augeas, because netcf's bonding support may require it to add a 'alias bond0 bonding' entry in modprobe.conf or /etc/modprobe.d/netcf.conf

The full list of files that netcf loads via augeas:

  /etc/sysconfig/network-scripts/ifcfg-*
  /etc/sysconfig/iptables
  /etc/modprobe.d/*
  /etc/modprobe.conf
  /etc/sysconfig/system-config-firewall
  /sys/class/net/*/address

It also may run /usr/sbin/lokkit

dwalsh, eparis, mgrepl: can we get F-12/F-11 selinux-policy updated for this?
Comment 3 Daniel Berrangé 2009-08-19 09:06:00 UTC 
Ewww, i really don't much like the idea of libvirt modifying modprobe.conf config files. Is there really no way to setup bonding just using the ifcfg-XXXX scripts 

I'm also wondering why it needs to touch iptables files just in order to configure a network interface.
Comment 4 David Lutterkort 2009-08-31 18:06:20 UTC 
> Ewww, i really don't much like the idea of libvirt modifying modprobe.conf
> config files. Is there really no way to setup bonding just using the ifcfg-XXXX
> scripts 

According to bz 202443, bonding setup should work without the alias in modprobe.conf, though when I tried that, it didn't work, and notting recommended using the alias. I'll look into it again.

> I'm also wondering why it needs to touch iptables files just in order to
> configure a network interface.  

To very gingerly add the rule '-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT' into either /etc/sysconfig/iptables or s-c-firewall, depending on what seems to be used.
Comment 5 Daniel Berrangé 2009-09-01 09:56:42 UTC 
FYI That iptables rule would only be required if net.bridge.bridge-nf-call-iptables=1. Latest recommendation from Herbert is to never set this to 1, because that is a potential security problem, if certain other iptables features are used in connection with virtual machines. As of F12, Fedora is thus defaulting to 0 for this sysctl, and so the iptables rules shouldn't be neccessary AFAICT.
Comment 6 Mark McLoughlin 2009-09-04 11:33:16 UTC 
(In reply to comment #4)
> > Ewww, i really don't much like the idea of libvirt modifying modprobe.conf
> > config files. Is there really no way to setup bonding just using the ifcfg-XXXX
> > scripts 
> 
> According to bz 202443, bonding setup should work without the alias in
> modprobe.conf, though when I tried that, it didn't work, and notting
> recommended using the alias. I'll look into it again.

Obviously, if you can't get it to work soon, we need to get the policy changed to allow libvirtd modify modprobe.conf
Comment 7 David Lutterkort 2009-09-10 20:46:42 UTC 
I posted patches to keep netcf from loading /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall when net.bridge.bridge-nf-call-iptables=0 (it still modifies iptables when that is 1, under the assumption that there was an important reason to pass bridge packets through iptables)

There does not seem to be a solution to the modprobe issue. network-functions needs the alias in the modprobe config to know that it has to load the bonding dirver for bond0. We therefore need the policy changed so that netcf/libvirt can modify modprobe config.
Comment 8 David Lutterkort 2009-09-10 20:50:21 UTC 
dwalsh: just to be clear, we need the policy changed so that ncftool and libvirt can read/write the files /etc/modprobe.conf and /etc/modprobe.d/*

For /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall, we only need read/write access in exceptional situations (net.bridge.bridge-nf-call-iptables=1) Should that become a boolean ?

Do you want me to file a separate BZ for that ?
Comment 9 Mark McLoughlin 2009-09-11 11:51:12 UTC 
(In reply to comment #8)

> For /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall, we only
> need read/write access in exceptional situations
> (net.bridge.bridge-nf-call-iptables=1) Should that become a boolean ?
> 
> Do you want me to file a separate BZ for that ?  

Yeah, please file a separate bug for the iptables stuff
Comment 10 Daniel Walsh 2009-09-11 13:54:29 UTC 
Giving libvirt this access is fine.  I just do not want to give any qemu these privs.  My view of the world is the bad guy is the qemu process.  libvirt is pretty much a very privledged process.
Comment 11 Daniel Walsh 2009-09-11 14:22:17 UTC 
Handling the editing of /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall

Is going to be a pain in the butt  I wish these things were in their own directory.
Comment 12 Mark McLoughlin 2009-09-16 17:45:36 UTC 
See bug #523766 - I think we have everthing covered now with selinux-policy-3.6.32-1.fc12