Bug 1011404 - Fail to connect the libvirtd server with the tls while enable the access_driver
Summary: Fail to connect the libvirtd server with the tls while enable the access_driver
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Berrangé
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-24 08:21 UTC by zhenfeng wang
Modified: 2014-04-24 09:00 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-27 14:34:42 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description zhenfeng wang 2013-09-24 08:21:10 UTC 
Description of problem:
Fail to connect the libvirtd server with the tls while enable the access_driver in libvirtd.conf

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.3-4.el7.x86_64
kernel-3.10.0-14.el7.x86_64
libvirt-1.1.1-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare the tls evironment
you can see the attachment which named tls_configuration.txt

2.connect the libvirtd service with the tls while didn't enable the access_driver in libvirtd.conf

# virsh -c qemu+tls://zhwang7/system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel7                          shut off
 -     rhel73                         shut off
 -     rhel7qcow2                     shut off

3.connect the libvirtd service with the tls while enable the access_driver in libvirtd.conf
cat /etc/libvirt/libvirtd.conf
#access_drivers = [ "polkit" ]
access_drivers = [ "polkit" ]

# virsh -c qemu+tls://zhwang7/system
error: failed to connect to the hypervisor
error: access denied

Check the log info in libvirtd.log
2013-09-23 07:29:55.659+0000: 5752: error : virAccessDriverPolkitFormatProcess:97 : internal error: No UNIX process ID available
2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied
2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied
2013-09-23 07:29:55.659+0000: 5744: error : virNetSocketReadWire:1369 : Cannot recv data: Input/output error

Actual results:
Fail to connect the libvirtd server with the tls 

Expected results:
should connect the libvirt with the tls successfully while enalbe the access_driver in libvirtd.conf

Additional info:
Comment 2 Jiri Denemark 2013-09-27 14:14:51 UTC 
Hmm, looks like a result of fixing the pkcheck CVE. Daniel, how do we handle this with tls or tcp transports?
Comment 3 Daniel Berrangé 2013-09-27 14:20:27 UTC 
The polkit access control driver will only work for UNIX domain sockets. If you wish to use TCP sockets, then you must disable the access control driver.
Comment 4 zhenfeng wang 2014-03-31 07:39:49 UTC 
Hi DB
I just re-check this bug and have new doubt about this bug. As we know, the polkit access control driver was designed for the nonprivileged user, and it shouldn't affect the root user's function. so i think the root user should connnect the libvirt with tls successfully while we enable the access control driver as comment0's description. I saw your comment3's explanation, i think this explanation should only work for the nonprivileged user, shouldn't limite the root user. Maybe we have necessary to re-open this bug, what's your opinion ? can you help me have a look? thanks
Comment 5 Daniel Berrangé 2014-04-24 09:00:44 UTC 
When a client connects over TCP sockets, there is no way of knowing that the user at the other end of the socket is "root". This is precisely why the access control mechanism only works for UNIX sockets.
Note You need to log in before you can comment on or make changes to this bug.