Bug 838347

Summary: 3.1 vdsm-created /etc/sysconfig/network-scripts/ifcfg-* have bad selinux context
Product: Red Hat Enterprise Linux 6 Reporter: Dan Kenigsberg <danken>
Component: vdsmAssignee: Dan Kenigsberg <dkenigsb>
Status: CLOSED ERRATA QA Contact: Meni Yakove <myakove>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: abaron, aburden, bazulay, chetan, cpelland, dwalsh, iheim, ilvovsky, lpeer, mmalik, ykaul, zdover
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard: network
Fixed In Version: vdsm-4.9.6-32.0 Doc Type: Bug Fix
Doc Text:
Previously, VDSM created files under /etc/sysconfig/network-scripts via sudo when configuring host networking. The files were created in the context of system_u:object_r:net_conf_t:s0 instead of system_u:object_r:bin_t:s0. This caused it to be impossible to acquire ip addresses via dhclient because the context mandated by SELinux was not provided. VDSM has been patched and now provides the context mandated by SELinux when creating ifcfg files.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 19:02:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Kenigsberg 2012-07-08 16:17:40 UTC 
Description of problem:
vdsm (system_u:system_r:virtd_t:s0-s0:c0.c1023) creates files under /etc/sysconfig/network-scripts via sudo, to configure host networking. They are created system_u:object_r:net_conf_t:s0 instead of system_u:object_r:bin_t:s0.

vdsm also calls /sbin/ifup via sudo.

This leads to errors like

avc:  denied  { getattr } for  pid=3273 comm="dhclient-script" path="/etc/sysconfig/network-scripts/ifcfg-ovirtmgmt" dev=dm-0 ino=1044497 scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:virt_var_lib_t:s0 tclass=file

I suspect this would lead to failures to acquire ip address via dhclient.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.noarch

How reproducible:
100%

Steps to Reproduce:
1. edit host networking via vdsm
  
Actual results:
# ls -lZ /etc/sysconfig/network-scripts/ifcfg-eth0 
-rw-rw-r--. vdsm root unconfined_u:object_r:virt_var_lib_t:s0 /etc/sysconfig/network-scripts/ifcfg-eth0


Expected results:
-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/sysconfig/network-scripts/ifcfg-lo
Comment 1 Daniel Walsh 2012-07-11 01:54:37 UTC 
How does this script create the files?  It looks like it creates them in /var/lib/libvirt and then mv's them into place.  It is probably best if the tool would just execute restorecon after it moves the files into place.

restorecon /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-ovirtmgmt
Comment 2 Dan Kenigsberg 2012-07-23 09:30:07 UTC 
Ok, we'll take it to vdsm. Thanks.

http://gerrit.ovirt.org/6489/
Comment 3 Dan Kenigsberg 2012-08-26 18:28:42 UTC 
Patch of comment #2 has been abandoned due to a complete overhaul of relevant function. The following patch is what I suggest instead:

http://gerrit.ovirt.org/7478
Comment 5 Meni Yakove 2012-09-05 13:36:11 UTC 
Verified on vdsm-4.9.6-32.0.el6_3.x86_64

-rw-rw-r--. root root system_u:object_r:net_conf_t:s0  ifcfg-eth0
Comment 8 errata-xmlrpc 2012-12-04 19:02:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1508.html