Bug 437802 - libvirt daemon needs to be able to run lokkit
libvirt daemon needs to be able to run lokkit
Status: CLOSED DUPLICATE of bug 447633
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-17 10:39 EDT by Daniel Berrange
Modified: 2008-06-11 10:48 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-11 10:48:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2008-03-17 10:39:17 EDT
Description of problem:
When configuring a virtual network for NAT based connectivity, libvirt uses
lokkit to add iptables rules to allow traffic between a guest & the LAN. SElinux
policy is blocking this usage

 type=AVC msg=audit(1205762763.055:185): avc:  denied  { read } for  pid=4002
comm="lokkit" name="fw_config.py" dev=dm-0 ino=1540393
scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1205762763.055:186): avc:  denied  { getattr } for  pid=4002
comm="lokkit" path="/usr/share/system-config-firewall/fw_config.py" dev=dm-0
ino=1540393 scontext=root:system_r:virtd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1205762763.134:187): avc:  denied  { execute } for  pid=4002
comm="lokkit" name="bash" dev=dm-0 ino=1441813 scontext=root:system_r:virtd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1205762763.135:188): avc:  denied  { read } for  pid=4011
comm="lokkit" name="bash" dev=dm-0 ino=1441813 scontext=root:system_r:virtd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1205762763.135:188): avc:  denied  { execute_no_trans } for 
pid=4011 comm="lokkit" path="/bin/bash" dev=dm-0 ino=1441813
scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0
tclass=file


audit2allow suggests

require {
        type virtd_t;
}

#============= virtd_t ==============
corecmd_exec_shell(virtd_t)
files_read_usr_files(virtd_t)
 


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-16.fc9.noarch
libvirt-0.4.1-4.fc9.x86_64

How reproducible:
Always

Steps to Reproduce:
1. /etc/init.d/libvirtd stop
2. /etc/init.d/libvirtd start
3.
  
Actual results:
# /etc/init.d/libvirtd start
Starting libvirtd daemon: Traceback (most recent call last):
  File "/usr/sbin/lokkit", line 26, in <module>
    import fw_config
ImportError: No module named fw_config
Failed to run '/usr/sbin/lokkit
--custom-rules=ipv4:filter:/var/lib/libvirt/iptables/filter/INPUT.chain' :
Invalid argumentTraceback (most recent call last):
  File "/usr/sbin/lokkit", line 26, in <module>
    import fw_config
ImportError: No module named fw_config
Failed to run '/usr/sbin/lokkit
--custom-rules=ipv4:filter:/var/lib/libvirt/iptables/filter/FORWARD.chain' :
Invalid argumentTraceback (most recent call last):
  File "/usr/sbin/lokkit", line 26, in <module>
    import fw_config
ImportError: No module named fw_config
Failed to run '/usr/sbin/lokkit --custom-rules=ipv4:nat:/va[  OK 
]bvirt/iptables/nat/POSTROUTING.chain' : Invalid argument


Expected results:
Starts without error

Additional info:
Comment 1 Daniel Walsh 2008-03-17 11:14:26 EDT
Seems like it is going to need more then this if it is actually going to modify
iptables?
Comment 2 Daniel Walsh 2008-03-17 11:15:05 EDT
Rules added in selinux-policy-3.3.21.fc9
Comment 3 Daniel Berrange 2008-03-17 11:19:49 EDT
Well, those are the only AVC messages I got when i switched to 'permissive'
mode. I'll test the new policy & report back if further rules are needed.
Comment 4 Bug Zapper 2008-05-14 02:39:33 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Dax Kelson 2008-06-10 02:38:47 EDT
I'm using F9 with all errata applied (ie, selinux-policy-3.3.1-55.fc9.noarch)
and I'm still having this problem.

host=mentorng.gurulabs.com type=AVC msg=audit(1213079217.414:67): avc: denied {
write } for pid=12992 comm="lokkit" name="iptables" dev=dm-3 ino=199343
scontext=system_u:system_r:virtd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file

host=mentorng.gurulabs.com type=SYSCALL msg=audit(1213079217.414:67):
arch=c000003e syscall=2 success=no exit=-13 a0=1bb3300 a1=241 a2=1b6
a3=7fef3cee86f0 items=0 ppid=2689 pid=12992 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lokkit"
exe="/usr/bin/python" subj=system_u:system_r:virtd_t:s0 key=(null) 

After running in permissive mode, audit2allow suggests:

#============= virtd_t ==============
allow virtd_t admin_home_t:dir read;
allow virtd_t etc_t:file { write setattr };
allow virtd_t modules_dep_t:file getattr;
allow virtd_t modules_object_t:dir read;
allow virtd_t modules_object_t:lnk_file read;
allow virtd_t src_t:dir read;

# ls -alZ /etc/sysconfig/iptables
-rw-------  root root system_u:object_r:etc_t:s0       /etc/sysconfig/iptables
Comment 6 Daniel Walsh 2008-06-10 14:47:37 EDT
I am not sure this is a great idea.  From a security point of view to allow the
virtd daemon to change the iptables rules on the host system?
Comment 7 Daniel Berrange 2008-06-10 16:36:20 EDT
Libvirt needs to provide various forms of connectivity to guest VMs. One form is
an isolated network, which is a bridge device to which guest TAP devices are
attached, but which has no physical NIC attached. We need to add iptables rules
to stop traffic being forwarded out of the bridge.

The other form is a NAT based network, which again consists of a bridge device
with guests attached. We then add iptables rules to allow outbound traffic to
the LAN, using masquerading for traffic.

Unfortunately I don't see any alternative way to provide this functionality
which would allow for more fine grained security policy - lokkit is pretty much
an all or nothing tool, since it is soo general purpose.
Comment 8 Daniel Berrange 2008-06-11 06:15:16 EDT
On further investigation I think use of lokkit  in libvirt should be removed
entirely. It is crazy to require the entire python stack, merely in order to
write a single plain text file. In addition lokkit does soooo many things we
don't need in libvirt - we don't want to have to allow access to such a broad
range of functionality in the selinux policy. I think it'll be preferrable to
just write the config file directly, and then we only need allow access to a
single file in the policy
Comment 9 Daniel Berrange 2008-06-11 10:48:41 EDT

*** This bug has been marked as a duplicate of 447633 ***

Note You need to log in before you can comment on or make changes to this bug.