Bug 857453

Summary: SELinux policy doesn't allow qemu to connect/write to correctly labelled console socket
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, dyasny, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 853393 Environment:
Last Closed: 2012-09-18 09:35:44 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 853393, 888502    
Bug Blocks:    

Description Richard W.M. Jones 2012-09-14 09:29:34 EDT
+++ This bug was initially created as a clone of Bug #853393 +++

Description of problem:

In libguestfs with the libvirt backend we create sockets
to talk to the daemon and console like this:

    <serial type="unix">
      <source mode="connect" path="/tmp/libguestfs3vK8dN/console.sock"/>
      <target port="0"/>
    </serial>
    <channel type="unix">
      <source mode="connect" path="/tmp/libguestfs3vK8dN/guestfsd.sock"/>
      <target type="virtio" name="org.libguestfs.channel.0"/>
    </channel>

where "/tmp/libguestfs3vK8dN" is a temporary directory created
by libguestfs.

Note that these socket files are created by libguestfs.  Qemu has
to connect to them.

I have submitted a patch to libvirt so that it now correctly labels
console.sock (for some reason that I don't understand none of this
discussion seems to apply to guestfsd.sock, but everything still
works, go figure).

However SELinux policy does not allow qemu to write to console.sock
even when it is correctly labelled.

type=AVC msg=audit(1347628113.231:1514): avc:  denied  { write } for  pid=4080 comm="qemu-kvm" name="console.sock" dev="dm-5" ino=834963 scontext=unconfined_u:unconfined_r:svirt_t:s0:c96,c408 tcontext=unconfined_u:object_r:svirt_image_t:s0:c96,c408 tclass=sock_file

type=AVC msg=audit(1347628390.930:1544): avc:  denied  { connectto } for  pid=5138 comm="qemu-kvm" path="/home/rjones/d/libguestfs/libguestfsnwIvd1/console.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c516,c927 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

audit2allow suggests:

require {
	type svirt_image_t;
	type svirt_t;
	class sock_file write;
}

#============= svirt_t ==============
allow svirt_t svirt_image_t:sock_file write;

and:

require {
	type unconfined_t;
	type svirt_t;
	class unix_stream_socket connectto;
}

#============= svirt_t ==============
allow svirt_t unconfined_t:unix_stream_socket connectto;

Adding these two rules makes everything work OK for me.
Comment 1 Daniel Walsh 2012-09-18 09:35:44 EDT
Fixed in selinux-policy-3.11.1-23.fc18.noarch
Comment 2 Richard W.M. Jones 2012-09-25 08:44:31 EDT
I installed the -24 policy and it does appear to be fixed.