Description of problem: When configuring a virtual network for NAT based connectivity, libvirt uses lokkit to add iptables rules to allow traffic between a guest & the LAN. SElinux policy is blocking this usage type=AVC msg=audit(1205762763.055:185): avc: denied { read } for pid=4002 comm="lokkit" name="fw_config.py" dev=dm-0 ino=1540393 scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1205762763.055:186): avc: denied { getattr } for pid=4002 comm="lokkit" path="/usr/share/system-config-firewall/fw_config.py" dev=dm-0 ino=1540393 scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1205762763.134:187): avc: denied { execute } for pid=4002 comm="lokkit" name="bash" dev=dm-0 ino=1441813 scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1205762763.135:188): avc: denied { read } for pid=4011 comm="lokkit" name="bash" dev=dm-0 ino=1441813 scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1205762763.135:188): avc: denied { execute_no_trans } for pid=4011 comm="lokkit" path="/bin/bash" dev=dm-0 ino=1441813 scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file audit2allow suggests require { type virtd_t; } #============= virtd_t ============== corecmd_exec_shell(virtd_t) files_read_usr_files(virtd_t) Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-16.fc9.noarch libvirt-0.4.1-4.fc9.x86_64 How reproducible: Always Steps to Reproduce: 1. /etc/init.d/libvirtd stop 2. /etc/init.d/libvirtd start 3. Actual results: # /etc/init.d/libvirtd start Starting libvirtd daemon: Traceback (most recent call last): File "/usr/sbin/lokkit", line 26, in <module> import fw_config ImportError: No module named fw_config Failed to run '/usr/sbin/lokkit --custom-rules=ipv4:filter:/var/lib/libvirt/iptables/filter/INPUT.chain' : Invalid argumentTraceback (most recent call last): File "/usr/sbin/lokkit", line 26, in <module> import fw_config ImportError: No module named fw_config Failed to run '/usr/sbin/lokkit --custom-rules=ipv4:filter:/var/lib/libvirt/iptables/filter/FORWARD.chain' : Invalid argumentTraceback (most recent call last): File "/usr/sbin/lokkit", line 26, in <module> import fw_config ImportError: No module named fw_config Failed to run '/usr/sbin/lokkit --custom-rules=ipv4:nat:/va[ OK ]bvirt/iptables/nat/POSTROUTING.chain' : Invalid argument Expected results: Starts without error Additional info:
Seems like it is going to need more then this if it is actually going to modify iptables?
Rules added in selinux-policy-3.3.21.fc9
Well, those are the only AVC messages I got when i switched to 'permissive' mode. I'll test the new policy & report back if further rules are needed.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
I'm using F9 with all errata applied (ie, selinux-policy-3.3.1-55.fc9.noarch) and I'm still having this problem. host=mentorng.gurulabs.com type=AVC msg=audit(1213079217.414:67): avc: denied { write } for pid=12992 comm="lokkit" name="iptables" dev=dm-3 ino=199343 scontext=system_u:system_r:virtd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file host=mentorng.gurulabs.com type=SYSCALL msg=audit(1213079217.414:67): arch=c000003e syscall=2 success=no exit=-13 a0=1bb3300 a1=241 a2=1b6 a3=7fef3cee86f0 items=0 ppid=2689 pid=12992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lokkit" exe="/usr/bin/python" subj=system_u:system_r:virtd_t:s0 key=(null) After running in permissive mode, audit2allow suggests: #============= virtd_t ============== allow virtd_t admin_home_t:dir read; allow virtd_t etc_t:file { write setattr }; allow virtd_t modules_dep_t:file getattr; allow virtd_t modules_object_t:dir read; allow virtd_t modules_object_t:lnk_file read; allow virtd_t src_t:dir read; # ls -alZ /etc/sysconfig/iptables -rw------- root root system_u:object_r:etc_t:s0 /etc/sysconfig/iptables
I am not sure this is a great idea. From a security point of view to allow the virtd daemon to change the iptables rules on the host system?
Libvirt needs to provide various forms of connectivity to guest VMs. One form is an isolated network, which is a bridge device to which guest TAP devices are attached, but which has no physical NIC attached. We need to add iptables rules to stop traffic being forwarded out of the bridge. The other form is a NAT based network, which again consists of a bridge device with guests attached. We then add iptables rules to allow outbound traffic to the LAN, using masquerading for traffic. Unfortunately I don't see any alternative way to provide this functionality which would allow for more fine grained security policy - lokkit is pretty much an all or nothing tool, since it is soo general purpose.
On further investigation I think use of lokkit in libvirt should be removed entirely. It is crazy to require the entire python stack, merely in order to write a single plain text file. In addition lokkit does soooo many things we don't need in libvirt - we don't want to have to allow access to such a broad range of functionality in the selinux policy. I think it'll be preferrable to just write the config file directly, and then we only need allow access to a single file in the policy
*** This bug has been marked as a duplicate of 447633 ***