Bug 355661 - dnsmasq accesses /var/lib/libvirt
dnsmasq accesses /var/lib/libvirt
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-10-28 02:00 EDT by Ulrich Drepper
Modified: 2008-01-30 14:20 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:20:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ulrich Drepper 2007-10-28 02:00:50 EDT
Description of problem:
The selinux policy does not allow access to /var/lib/libvirt which has the label
virt_var_lib_t.  I don't see a reason why this directory is accessed.  For this
reason I file the bug for dnsmasq and not selinux-policy.  Should there be a
real reason move the file to selinux-policy.

Version-Release number of selected component (if applicable):

How reproducible:
I cannot say...

Steps to Reproduce:
Actual results:
AVC below

Expected results:

Additional info:
    SELinux is preventing dnsmasq (dnsmasq_t) "write" to <Unknown>

Detailed Description
    SELinux denied access requested by dnsmasq. It is not expected that this
    access is required by dnsmasq and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:dnsmasq_t:s0
Target Context                system_u:object_r:virt_var_lib_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-24.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     x61.akkadia.org
Platform                      Linux x61.akkadia.org #1 SMP Wed
                              Oct 17 18:14:46 EDT 2007 x86_64 x86_64
Alert Count                   10
First Seen                    Tue 16 Oct 2007 03:52:31 AM PDT
Last Seen                     Sat 20 Oct 2007 07:48:35 PM PDT
Local ID                      b3fa5b7c-8aaa-4177-b58e-0e06bf8bf2f4
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=dnsmasq dev=sda5 name=libvirt pid=2287
scontext=system_u:system_r:dnsmasq_t:s0 tclass=dir
Comment 1 Jima 2007-10-28 10:04:32 EDT
While I could be totally mistaken, I suspect libvirt is configuring your dnsmasq
instance to make use of that directory.  Nothing in dnsmasq source (or our CVS
for it) even refers to that directory, or libvirt at all.  However, libvirt
makes use of dnsmasq for DHCP services on an internal virtual network (from my
understanding).  I believe the bug should either be with libvirt or selinux-policy.

In summary, I have no way of knowing how "downstream" packages (like libvirt)
are going to configure dnsmasq, and shouldn't be responsible for giving them
access to things I have no business accessing. :-)
Comment 2 Ulrich Drepper 2007-10-28 12:30:43 EDT
You're right.  I didn't expect there to be anything like this since I didn't
configure or use libvirt at all on his machine.  Nevertheless, there it is, this
process is running:

/usr/sbin/dnsmasq --keep-in-foreground --strict-order --bind-interfaces
--pid-file  --conf-file  --listen-address --except-interface lo
--dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases --dhcp-range,

So, Dan, does the policy allow the lease file to be written?  The
/var/lib/libvirt directory seems to be correctly labelled:

# ll -Zd /var/lib/libvirt
drwxr-xr-x  root root system_u:object_r:virt_var_lib_t:s0 /var/lib/libvirt
Comment 3 Daniel Walsh 2007-10-29 23:40:50 EDT
This should be fixed in selinux-policy-3.0.8-38
Comment 4 Daniel Walsh 2008-01-30 14:20:56 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.