Bug 552763

Summary: SELinux default policy does not allow qemu-kvm (TLS) read access to /dev/random
Product: Red Hat Enterprise Linux 5 Reporter: Michael Kearey <mkearey>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: mmalik, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 505016 Environment:
Last Closed: 2010-03-30 07:50:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Kearey 2010-01-06 03:48:40 UTC
Description of problem:

SELinux is generating AVC error messages when trying to create (final step, after clicking Finish) or start a virtual machine, when TLS is enabled in qemu.conf and a properly configured PKI infrastructure exists.
 The AVCs point towards incorrect contexts on /dev/random, which TLS requires access to for entropy in the encryption mechanisms

Version-Release number of selected component (if applicable):
Not applicable

How reproducible:
100%

Steps to Reproduce:
1. Install a RHEL5 update 4 machine (any method)
2. Ensure SELinux is enabled (enforcing) & contexts are set correctly
3. Install kvm/qemu-kvm/virt-manager packages
4. Configure qemu/libvirt per http://virt-manager.org/page/RemoteTLS & http://libvirt.org/remote.html
5. Create a VM using virt-manager.
  
Actual results:
The VM fails to start
The vm log shows:

Fatal: no entropy gathering module detected 

An AVC message in audit.log:
type=AVC msg=audit(1258941984.816:4192): avc:  denied  { read } for  pid=7693 comm="qemu-kvm" name="random" dev=tmpfs ino=7644 scontext=user_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

Expected results:

The VM should start cleanly and access to /dev/random should be allowed for entropy to be gathered


Additional info:

We need to set up the SElinux policy to allow qemu access to both random and urandom when it is using TLS for VNC connections. The reason:

qemu-kvm uses gnutls, gnutls depends on libgcrypt. libgcrypt defaults to rndlinux as the random module.  ie as described in the documentation for gcrypt :

http://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsystem-Architecture.html

The way gcrypt works is that it tries first rndlinux - Essentially by design rndlinux needs both /dev/random and /dev/urandom available to work correctly - It guarantees that 16 bytes of entropy is gathered from urandom, the rest gathered from random.

IF rndlinux fails to access the rndlinux devices, it tries other devices, and if there are no other random device generators available it will fail with the error message:

Fatal: no entropy gathering module detected

The bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=505016 has in it a fix that could potentially be applied to RHEL 5 policy.

Comment 1 Daniel Walsh 2010-01-06 14:06:52 UTC
Miroslav the qemu and svirt policy both need this access as defined in F12.

Comment 3 Miroslav Grepl 2010-01-28 16:13:29 UTC
Fixed in selinux-policy-2.4.6-271.el5

Comment 7 errata-xmlrpc 2010-03-30 07:50:51 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html