Bug 692145

Summary: permissive MLS: AVC appears when starting libvirtd service
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.1CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-31 19:49:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-03-30 14:32:09 UTC 
Description of problem:
found by accident

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-80.el6.noarch
selinux-policy-doc-3.7.19-80.el6.noarch
selinux-policy-3.7.19-80.el6.noarch
selinux-policy-targeted-3.7.19-80.el6.noarch
selinux-policy-minimum-3.7.19-80.el6.noarch

How reproducible:
always

Steps to Reproduce:
(the kernel booted up with enforcing=0, root is logged in via console)
# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
# runlevel 
S 3
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        mls
# run_init service libvirtd status
Authenticating root.
Password: 
libvirtd is stopped
# run_init service libvirtd start
Authenticating root.
Password: 
Starting libvirtd daemon: [  OK  ]
Bridge firewalling registered
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk>
device virbr0-nic entered promiscuous mode
virbr0: starting userspace STP failed, starting kernel STP
ip_tables: (C) 2000-2006 Netfilter Core Team
nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
Ebtables v2.0 registered
ip6_tables: (C) 2000-2006 Netfilter Core Team
lo: Disabled Privacy Extensions
# 

Actual results:
----
time->Wed Mar 30 10:08:23 2011
type=SYSCALL msg=audit(1301494103.277:85): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff3b0fc a2=cffff4 a3=3 items=0 ppid=2033 pid=2045 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1301494103.277:85): avc:  denied  { getattr } for  pid=2045 comm="modprobe" path="pipe:[15441]" dev=pipefs ino=15441 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tclass=fifo_file
----

Expected results:
no AVCs
Comment 1 Milos Malik 2011-03-30 14:49:11 UTC 
When I repeat the same procedure in enforcing mode I see no AVCs.
Comment 2 Daniel Walsh 2011-03-30 19:36:23 UTC 
This looks like virtd is leaking an open file descriptor to a fifo_file.  Proabbly stdin/stdout/stderr.
Comment 3 Daniel Walsh 2011-03-31 19:49:31 UTC 
I think we only care about enforcing mode.