Bug 2362040 - SELinux prevents virtnetworkd from managing a network named "storage"
Summary: SELinux prevents virtnetworkd from managing a network named "storage"
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-24 11:44 UTC by Dustin C. Hatch
Modified: 2025-04-24 14:00 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-1624 0 None None None 2025-04-24 14:00:46 UTC

Description Dustin C. Hatch 2025-04-24 11:44:36 UTC 
Attempting to start a libvirt domain that has an `<interface type="network">` element that refers to a libvirt managed network named `storage` causes `virtnetworkd` to segfault:

free(): double free detected in tcache 2

Stack trace of thread 1801:
#0  0x00007fc0d5f5ce5c __pthread_kill_implementation (libc.so.6 + 0x72e5c)
#1  0x00007fc0d5f03abe raise (libc.so.6 + 0x19abe)
#2  0x00007fc0d5eeb6d0 abort (libc.so.6 + 0x16d0)
#3  0x00007fc0d5eec6f3 __libc_message_impl.cold (libc.so.6 + 0x26f3)
#4  0x00007fc0d5f66fb5 malloc_printerr (libc.so.6 + 0x7cfb5)
#5  0x00007fc0d5f67043 tcache_double_free_verify (libc.so.6 + 0x7d043)
#6  0x00007fc0d5f6c3ae free (libc.so.6 + 0x823ae)
#7  0x00007fc0d62ecc45 g_free (libglib-2.0.so.0 + 0x41c45)
#8  0x00007fc0d6546392 virNetworkPortDefFree (libvirt.so.0 + 0x146392)
#9  0x00007fc0d0584f3f networkPortCreateXML (libvirt_driver_network.so + 0xaf3f)
#10 0x00007fc0d66de579 virNetworkPortCreateXML (libvirt.so.0 + 0x2de579)
#11 0x000055d04c3a6a14 remoteDispatchNetworkPortCreateXMLHelper.lto_priv.0 (/usr/bin/virtnetworkd + 0x3ca14)
#12 0x00007fc0d658f96d virNetServerProgramDispatch (libvirt.so.0 + 0x18f96d)
#13 0x00007fc0d658fca1 virNetServerProcessMsg (libvirt.so.0 + 0x18fca1)
#14 0x00007fc0d658fdb6 virNetServerHandleJob (libvirt.so.0 + 0x18fdb6)
#15 0x00007fc0d64c3367 virThreadPoolWorker (libvirt.so.0 + 0xc3367)
#16 0x00007fc0d64c2510 virThreadHelper (libvirt.so.0 + 0xc2510)
#17 0x00007fc0d5f5af14 start_thread (libc.so.6 + 0x70f14)
#18 0x00007fc0d5fddaac __clone3 (libc.so.6 + 0xf3aac)

This is ultimately caused by an AVC denial that prevents `virtnetworkd` from creating a directory in `/run/libvirt/network`:

mkdir("/run/libvirt/network/storage", 0777) = -1 EACCES (Permission denied)

type=AVC msg=audit(1745458934.834:3890): avc:  denied  { create } for  pid=9430 comm="rpc-virtnetwork" name="storage" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:object_r:virtstoraged_var_run_t:s0 tclass=dir permissive=0

The problem here is that because the network is named `storage`, this file transition rule causes the directory `virtnetworkd` is trying to create to be labelled `virtstoraged_var_run_t`:

filetrans_pattern($1, virt_var_run_t, virtstoraged_var_run_t, dir, "storage")



Reproducible: Always

Steps to Reproduce:
1. Create a libvirt managed network named storage
2. Connect a network interface to a libvirt domain to the storage network
3. Try to start the domain
Actual Results:
`virtnetworkd` crashes and the domain does not start:

error: internal error: client socket is closed

Expected Results:
The SELinux policy should allow `virtnetworkd` to manage any network regardless of its name.

Additional Information:
Changing the context of `/run/libvirt/network` to `virtnetworkd_var_run_t` works around this problem temporarily:

sudo chcon -t virtnetworkd_var_run_t /run/libvirt/network/
Comment 1 Zdenek Pytela 2025-04-24 13:58:07 UTC 
There seems to be a clash with some older rule:

modules/contrib/dnsmasq.fc:/run/libvirt/network(/.*)?   gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
Note You need to log in before you can comment on or make changes to this bug.