Bug 517619

Summary: libvirtd should chown dirs when qemu configured to run as root/root
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: libvirtAssignee: Daniel Berrange <berrange>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: rawhideCC: berrange, clalance, crobinso, dwalsh, eparis, itamar, markmc, mgrepl, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-15 06:44:54 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 498968    
Description Flags
Fix chowning of directories none

Description Tim Waugh 2009-08-15 05:00:05 EDT
Description of problem:
While attempting to work around bug #517304, I had adjusted /etc/libvirt/qemu.conf so that qemu runs as root:root and restarted libvirtd.  When creating a new guest I got AVC messages and an error dialog:

Unable to complete install '<class 'libvirt.libvirtError'> internal error unable to start guest: bind(unix:/var/run/libvirt/qemu/F11.monitor): Permission denied
qemu: could not open monitor device 'unix:/var/run/libvirt/qemu/F11.monitor,server,nowait'

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/create.py", line 1489, in do_install
    dom = guest.start_install(False, meter = meter)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 628, in start_install
    return self._do_install(consolecb, meter, removeOld, wait)
  File "/usr/lib/python2.6/site-packages/virtinst/Guest.py", line 726, in _do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 1077, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirtError: internal error unable to start guest: bind(unix:/var/run/libvirt/qemu/F11.monitor): Permission denied
qemu: could not open monitor device 'unix:/var/run/libvirt/qemu/F11.monitor,server,nowait'


node=worm.elk type=AVC msg=audit(1250326486.552:31325): avc: denied { transition } for pid=3571 comm="libvirtd" path="/usr/bin/qemu-kvm" dev=dm-1 ino=105692 scontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c224,c1013 tclass=process

node=worm.elk type=SYSCALL msg=audit(1250326486.552:31325): arch=c000003e syscall=59 success=yes exit=0 a0=7fb08800b6c0 a1=7fb088007330 a2=7fb08800b560 a3=7fb09c815e30 items=0 ppid=3570 pid=3571 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c224,c1013 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Attempt to create guest while libvirt runs qemu as root:root.
Comment 1 Tim Waugh 2009-08-15 07:35:05 EDT
Actually even with the default qemu.conf I get these same AVC messages.  The boot screen appears but it fails to read the boot disk (a qemu:qemu owned file with virt_content_t label).
Comment 2 Mark McLoughlin 2009-08-19 05:52:49 EDT
Okay, here's what I can reproduce:

  1) change /etc/libvirt/qemu.conf to user=root/group=root and restart libvirtd

     now guests fail to start with the "could not open monitor device" error
     because the qemu process is failing to transition to svirt_t as the AVC

  2) change it back to user=qemu/group=qemu and restart libvirtd

     now guests appear to work fine, the process is running as qemu and 
     transitioning correctly, but the AVCs still appear when starting a guest

  4) leave it as user=qemu/group=qemu and reboot

     now everything is fine again with no AVCs
Comment 3 Daniel Berrange 2009-08-19 05:58:31 EDT
I think the confusion here is because it is not sufficient to merely change the user/group to root/root in the config file. The directory permissions will not allow QEMU to create its monitor socket, since even with the user set to root/root, the QEMU instance is still unprivileged, so can only access files which are explicitly owned by root. ie it lacks CAP_DAC_OVERRIDE.

So you'd also need to at least chown /var/run/libvirt/qemu  to root:root IIRC.

I cant explain the failure to transition SElinux domains though - that shouldn't be at all related to the QEMU process' UID/GID.

We certainly need to document this better - the config file is misleading in suggesting you can simply change the user/group and nothing else
Comment 4 Mark McLoughlin 2009-08-19 12:48:49 EDT
dwalsh: any idea what's causing the transition AVCs ?
Comment 5 Mark McLoughlin 2009-08-19 12:50:05 EDT
Confirm that chowning the dirs to root:root is enough to make things work (modulo these weird transition AVCs)

We're going to make libvirtd do this chowning automatically, see:

Comment 6 Daniel Walsh 2009-08-19 17:03:35 EDT
I recently changed all unconfined_domains to permissive domains to see what AVC's are around if you removed the unconfined policy package.

In Fedora 11 libvirt is running as an unconfined_domain.  If you look closely at the AVC, you will see success=yes, which means the kernel did not block anything.

Setroubleshoot should tell you this.

The AVC is because you have 



So the problem is a missing rule to allow libvirt to change the user of a process it is executing.  Theoretically libvirt should have only changed the type and MLS/MCS portion of the context,  But since it changed the user component I also need to allow this in policy.

Fixed in selinux-policy-3.6.28-2.fc12.noarch
Comment 7 Mark McLoughlin 2009-08-21 03:18:05 EDT
Thanks dwalsh

That just leaves the dir chowning issue
Comment 8 Mark McLoughlin 2009-08-21 03:19:14 EDT
Thanks dwalsh

That just leaves the dir chowning issue
Comment 9 Daniel Berrange 2009-08-25 12:59:00 EDT
Created attachment 358599 [details]
Fix chowning of directories

This patch addresses several problems

- If chown's the /var/{lib,cache}/libvirt/qemu directories to match the configured qemu user/group
- It sets /var/run/libvirt/qemu to always be root:root, since that contains security critical data that should not be writable by the guest
- It moves the monitor socket out of /var/run and into /var/lib due to previous point
- Fixes memory leak of monitor device data
- Removes the monitor device at shutdown
Comment 10 Daniel Berrange 2009-08-26 11:03:22 EDT
Split up and posted upstream

Comment 11 Daniel Berrange 2009-09-15 06:44:54 EDT
We now correctly chown directories and this is in rawhide