Bug 977856

Summary: Current selinux policy prevents the new vdsm dhcp hook from running
Product: [Fedora] Fedora Reporter: Antoni Segura Puimedon <asegurap>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: amuller, asegurap, bazulay, danken, dominick.grift, dwalsh, lpeer, mgrepl, mmalik, myakove, wudxw
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-69.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 990509 (view as bug list) Environment:
Last Closed: 2013-08-04 22:58:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 618636, 918494, 990024, 990963    
Attachments:
Description Flags
audit.log when running in permissive mode.
none
audit.log of the denials in F19 none

Description Antoni Segura Puimedon 2013-06-25 13:19:38 UTC 
Created attachment 765079 [details]
audit.log when running in permissive mode.

Description of problem:
For configuring routes for multiple gateways, vdsm now has a dhcp hook placed in /etc/dhcp/dhclient.d/sourceRoute.sh that calls the vdsm scripts in /usr/share/vdsm to set ip routes and rules.

The current selinux policy selinux-policy-3.7.19-195.el6_4.10.noarch prevents the hook from running the python scripts in /usr/share/vdsm/sourceRoute.py.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.10.noarch

How reproducible: 100%


Steps to Reproduce:
1. Build vdsm from http://gerrit.ovirt.org/#/c/15890/ or nightly once that patch is merged
2. execute
vdsClient 0 addNetwork bridge=foo nics=eth0 bootproto=dhcp

where eth0 is a nic connected to a network that serves dhcp information.

Actual results:
if you do "ip rule show", no rules are added for the new ip config.

Expected results:
there are two ip rules for the new network.

Additional info:
grep python /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

solves the issue, so it seems that just updating the policy to include this use case should solve the bug.
Comment 2 Antoni Segura Puimedon 2013-06-25 22:06:48 UTC 
The new behavior of the libvirt detection throws a few more avc denials on bootup. I'll try to make an attachment for them in the morning.
Comment 3 Antoni Segura Puimedon 2013-07-01 15:00:47 UTC 
Well, I'm a bit delayed with that attachment, but in the meantime, the proper explanation for the need in policy change is:

The vdsm service, vdsmd, executes in selinux context system_u:system_r:virtd_t
and its supervdsmd counterpart executes in the system_u:system_r:initrc_t context. This allows them to interact with libvirt, qemu, /etc files, sockets, network interface netlink changes, etc.

For the multiple gateways feature, ( https://bugzilla.redhat.com/show_bug.cgi?id=618636 ), we need to perform a reasonably sized subset of those restricted actions as part of the DHCP hook that sets up source routing rules and routes (as opposed to destination routing) when dhcp receives a lease for an interface that belongs to vdsm. However, the DHCP hook can and is run on network service start, that is much prior to libvirtd and vdsmd startup when booting up and, for this reason, it can't just call vdsmd, it must call the vdsm code to perform the actions it needs.

Thus, to solve the issue the selinux-policy must give access to python executing in the dhcp_t context to perform the actions that the normal vdsmd context (system_u:system_r:virtd_t) allows.
Comment 4 Daniel Walsh 2013-07-02 11:31:28 UTC 
supervdsmd  Should probably run as the same label vdsmd.  What is its path?

As far as dhcp_t having the all the rules as virtd_t, I would rather see the AVC's.  I doubt dhcp_t is going to be launching virtual machines as svirt_t.
Comment 5 Antoni Segura Puimedon 2013-07-25 14:26:00 UTC 
We reworked the approach of what we do not to require selinux policy changes. However, on F18 and F19 versions:
selinux-policy-3.11.1-98.fc18
selinux-policy-3.12.1-65.fc19

get avc denials. What we do is have dhcp_t create and write to files in /var/run/vdsm/sourceRoutes/

I attach the dhcp_t denials.
Comment 6 Antoni Segura Puimedon 2013-07-25 14:32:00 UTC 
Created attachment 778276 [details]
audit.log of the denials in F19

These are the denials in Fedoa 19 after running in permissive mode and then trying to make it run on enforcing mode.
Comment 7 Antoni Segura Puimedon 2013-07-25 14:39:30 UTC 
Tried a policy mad of attachment 778276 [details] with audit2allow and the functionality is restored for f19.
Comment 8 Daniel Walsh 2013-07-26 17:28:49 UTC 
c82f9befc26d03bc711d5d9606c7f990b1d57ca7 fixes this in git.
Comment 9 Mark Wu 2013-07-30 09:31:49 UTC 
*** Bug 990024 has been marked as a duplicate of this bug. ***
Comment 10 Fedora Update System 2013-08-02 13:27:37 UTC 
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Comment 11 Fedora Update System 2013-08-02 21:53:55 UTC 
Package selinux-policy-3.12.1-69.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2013-08-04 22:58:22 UTC 
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.