Description of problem: When running a domain as non-root and adding a bridge via qemu monitor command, selinux prevents successul execution. Version-Release number of selected component (if applicable): Name : qemu-common Arch : x86_64 Epoch : 2 Version : 2.3.1 Release : 3.fc22 How reproducible: Always Steps to Reproduce: 1. start a domain, e.g. with ID 2 2. virsh -c qemu:///session qemu-monitor-command 2 --hmp 'netdev_add bridge,id=hostnet8' Actual results: Device 'bridge' could not be initialized journal: audit[24376]: <audit-1400> avc: denied { read } for pid=24376 comm="qemu-bridge-hel" name="urandom" dev="devtmpfs" ino=1033 scontext=unconfined_u:unconfined_r:virt_bridgehelper_t:s0:c4,c652 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=0 Expected results: Successful run. It works with setenforce 0
I don't see where in the qemu-bridge-helper code it's using /dev/urandom, but I imagine it should be safe to allow
Hi, Could you attach version of selinux-policy package? On my system, I can see: $ sesearch -A -s virt_bridgehelper_t -t urandom_device_t Found 1 semantic av rules: allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; $ rpm -q selinux-policy selinux-policy-3.13.1-128.16.fc22.noarch
My version is slightly older, but seems to have the same rule. $ sesearch -A -s virt_bridgehelper_t -t urandom_device_t Found 1 semantic av rules: allow domain urandom_device_t : chr_file { ioctl read getattr lock open } ; $ rpm -q selinux-policy selinux-policy-3.13.1-128.13.fc22.noarch $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
I got a step further by adding the following rules, but adding the bridge device still fails. Would that be a separate issue then? I wouldn't expect the selinux failures in any case. module bridge_policy 1.0; require { type urandom_device_t; type virt_bridgehelper_t; class chr_file { read getattr open }; } #============= virt_bridgehelper_t ============== #!!!! This avc can be allowed using the boolean 'global_ssp' allow virt_bridgehelper_t urandom_device_t:chr_file getattr; #!!!! This avc is allowed in the current policy allow virt_bridgehelper_t urandom_device_t:chr_file { read open };
If I look at the noaudit messages, I find more culprits. Among those is time->Wed Sep 30 13:12:27 2015 type=AVC msg=audit(1443611547.332:1389): avc: denied { read write } for pid=17613 comm="qemu-bridge-hel" path="socket:[195274]" dev="sockfs" ino=195274 scontext=unconfined_u:unconfined_r:virt_bridgehelper_t:s0:c49,c562 tcontext=unconfined_u:unconfined_r:svirt_t:s0:c49,c562 tclass=unix_stream_socket permissive=0 This combined ruleset lets everything work as expected (bridge added without complaint with setenforce 1): module cockpit_test_bridge 1.0; require { type urandom_device_t; type virt_bridgehelper_t; type svirt_t; class unix_stream_socket { read write }; class chr_file { read getattr open }; } #============= virt_bridgehelper_t ============== #!!!! This avc has a dontaudit rule in the current policy allow virt_bridgehelper_t svirt_t:unix_stream_socket { read write }; #!!!! This avc can be allowed using the boolean 'global_ssp' allow virt_bridgehelper_t urandom_device_t:chr_file { read getattr open };
So you needed to add also allow virt_bridgehelper_t svirt_t:unix_stream_socket { read write }; rules to make it working?
Yes, I needed all the rules I listed in the previous post. Feel free to test this with the steps I listed above!
This makes Cockpit development harder than it should be. Developers end up disabling SELinux in order to run the Cockpit test suite, and then leave it off. Is there anything else required to get this fixed?
Added fixes to all Fedoras. Lukas, could you please make builds and updates. Thank you.
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.