Bug 704274

Summary: Virtual machine environments transition to qemu_t
Product: Red Hat Enterprise Linux 6 Reporter: Ramon de Carvalho Valle <rcvalle>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.3CC: dwalsh, iboverma, jwest, mgrepl, sforsber
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-20 09:19:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ramon de Carvalho Valle 2011-05-12 16:26:07 UTC 
Description of problem:
I've just noticed that there is no rule explicitly defined for virtd_t transition to svirt_t-there is one for virt_domain-, only for qemu_t. Note that the libvirt daemon executes with virtd_t type, and the qemu-kvm has qemu_exec_t type, which has an automatic transition rule to qemu_t defined.

[root/sysadm_r/SystemLow@ntc242 ~]# sesearch -s virtd_t -c process -p transition --allow
Found 13 semantic av rules:
   allow virtd_t iptables_t : process transition ;
   allow virtd_t ifconfig_t : process transition ;
   allow virtd_t initrc_t : process { transition sigchld } ;
   allow virtd_t lvm_t : process transition ;
   allow virtd_t qemu_t : process { transition sigkill signal setsched } ;
   allow virtd_t dnsmasq_t : process { transition sigkill signull signal } ;
   allow virtd_t virt_domain : process { transition sigkill signull signal getsched setsched getattr } ;
   allow domain lspp_harness_t : process transition ;
   allow virtd_t brctl_t : process transition ;
   allow virtd_t udev_t : process transition ;
   allow virtd_t dmidecode_t : process transition ;
   allow virtd_t policykit_resolve_t : process transition ;
   allow virtd_t policykit_auth_t : process transition ;

[root/sysadm_r/SystemLow@ntc242 ~]#

Currently, no matter which role or type starts a virtual machine environment, the new process transition to qemu_t.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 Miroslav Grepl 2011-05-16 14:19:15 UTC 
This is a problem with dynamic labeling. You should use static labels on MLS.
Comment 4 Ramon de Carvalho Valle 2011-05-16 14:30:27 UTC 
This also happens in Targeted policy.
Comment 6 Miroslav Grepl 2011-05-17 10:50:34 UTC 
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

# rpm -qa \*selinux-policy\*
selinux-policy-minimum-3.7.19-93.el6.noarch
selinux-policy-mls-3.7.19-93.el6.noarch
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
selinux-policy-doc-3.7.19-79.el6.noarch


# ps -eZ |grep libvirt
system_u:system_r:virtd_t:s0-s0:c0.c1023 1831 ? 00:00:00 libvirtd

# ls -Z /var/lib/libvirt/images/Fedora14.img 
-rw-------. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images/Fedora14.img

# virsh start Fedora15
# ps -eZ |grep svirt
system_u:system_r:svirt_t:s0:c523,c614 3070 ?  00:00:14 qemu-kvm

# ls -lZ /var/lib/libvirt/images/Fedora14.img 
-rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c523,c614 /var/lib/libvirt/images/Fedora14.img


# virsh list
 Id Name                 State
----------------------------------
  3 Fedora15             running

# cat /etc/selinux/targeted/contexts/virtual_domain_context 
system_u:system_r:svirt_t:s0
Comment 7 Miroslav Grepl 2011-05-17 12:17:53 UTC 
MLS with static labeling:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        mls

# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023

# ps -eZ |grep virt
system_u:system_r:virtd_t:s0-s15:c0.c1023 1788 ? 00:00:00 libvirtd

# ls -lZ /var/lib/libvirt/images/Fedora14.img 
-rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c523,c614 /var/lib/libvirt/images/Fedora14.img

# grep -C 1 seclabel /etc/libvirt/qemu/Fedora15.xml 
  </devices>
  <seclabel type='static' model='selinux'>
    <label>system_u:system_r:svirt_t:s0:c523,c614</label>
  </seclabel>
</domain>

# ps -eZ |grep qemu
system_u:system_r:svirt_t:s0:c523,c614 2649 ?  00:08:08 qemu-kvm
Comment 8 Ramon de Carvalho Valle 2011-05-17 12:40:33 UTC 
Please, see the question marks.

[root/sysadm_r/SystemLow@ntc242 ~]# id -Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow@ntc242 ~]# rpm -qa \*selinux-policy\* (?)
bash: /bin/rpm: Permission denied
[root/sysadm_r/SystemLow@ntc242 ~]# setenforce 0 
[root/sysadm_r/SystemLow@ntc242 ~]# rpm -qa \*selinux-policy\*
selinux-policy-targeted-3.7.19-92.el6.noarch
selinux-policy-3.7.19-92.el6.noarch
selinux-policy-mls-3.7.19-92.el6.noarch
[root/sysadm_r/SystemLow@ntc242 ~]# setenforce 1
[root/sysadm_r/SystemLow@ntc242 ~]# ps -C libvirtd -o label=system_u:system_r:virtd_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow@ntc242 ~]# stat -c %C /var/lib/libvirt/images/KVM-Guest-1.img 
system_u:object_r:virt_image_t:SystemLow
[root/sysadm_r/SystemLow@ntc242 ~]# virsh start KVM-Guest-1
error: Failed to start domain KVM-Guest-1
error: unable to set security context 'system_u:object_r:virt_image_t:s0:c83,c228' on '/var/lib/libvirt/images/KVM-Guest-1.img': Operation not permitted

[root/sysadm_r/SystemLow@ntc242 ~]# setenforce 0
[root/sysadm_r/SystemLow@ntc242 ~]# virsh start KVM-Guest-1
Domain KVM-Guest-1 started

[root/sysadm_r/SystemLow@ntc242 ~]# ps -C qemu-kvm -o label=
system_u:system_r:qemu_t:s0:c650,c1000 (?)
[root/sysadm_r/SystemLow@ntc242 ~]# 

[...]

[root/secadm_r/SystemLow@ntc242 kvm]# grep denied /var/log/audit/audit.log 

[...]

type=AVC msg=audit(1305614959.613:8407): avc:  denied  { relabelfrom } for  pid=13586 comm="libvirtd" name="KVM-Guest-1.img" dev=dm-0 ino=136407 scontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SELINUX_ERR msg=audit(1305614959.613:8407): security_validate_transition:  denied for oldcontext=system_u:object_r:default_t:s0 newcontext=system_u:object_r:virt_image_t:s0:c650,c1000 taskcontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tclass=file
type=AVC msg=audit(1305614959.736:8411): avc:  denied  { write } for  pid=13711 comm="qemu-kvm" path="/dev/vhost-net" dev=devtmpfs ino=10791 scontext=system_u:system_r:qemu_t:s0:c650,c1000 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file
[root/secadm_r/SystemLow@ntc242 kvm]#
Comment 9 Miroslav Grepl 2011-05-19 16:20:40 UTC 
You still use dynamic labeling on MLS. 

Could you try to setup label on your image using "chcon". For example the label which I have on my image

# ls -lZ /var/lib/libvirt/images/Fedora14.img 
-rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c523,c614
/var/lib/libvirt/images/Fedora14.img

and add to xml this section

# grep -C 1 seclabel /etc/libvirt/qemu/Fedora15.xml 
  </devices>
  <seclabel type='static' model='selinux'>
    <label>system_u:system_r:svirt_t:s0:c523,c614</label>
  </seclabel>
</domain>
Comment 10 Ramon de Carvalho Valle 2011-05-19 16:35:45 UTC 
Yes. It will work because with static labelling you are explicitly setting the domain to svirt_t in the XML file. However, by default, it is transitioning to qemu_t, it is no due to the fact that I am using dynamic labelling, it is a MLS policy problem.
Comment 11 Miroslav Grepl 2011-07-20 09:19:42 UTC 
I am closin this bug per mailing list communication.