Bug 437802 - libvirt daemon needs to be able to run lokkit
Summary: libvirt daemon needs to be able to run lokkit
Keywords:
Status: CLOSED DUPLICATE of bug 447633
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-17 14:39 UTC by Daniel Berrangé
Modified: 2008-06-11 14:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-11 14:48:41 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Daniel Berrangé 2008-03-17 14:39:17 UTC
Description of problem:
When configuring a virtual network for NAT based connectivity, libvirt uses
lokkit to add iptables rules to allow traffic between a guest & the LAN. SElinux
policy is blocking this usage

 type=AVC msg=audit(1205762763.055:185): avc:  denied  { read } for  pid=4002
comm="lokkit" name="fw_config.py" dev=dm-0 ino=1540393
scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1205762763.055:186): avc:  denied  { getattr } for  pid=4002
comm="lokkit" path="/usr/share/system-config-firewall/fw_config.py" dev=dm-0
ino=1540393 scontext=root:system_r:virtd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1205762763.134:187): avc:  denied  { execute } for  pid=4002
comm="lokkit" name="bash" dev=dm-0 ino=1441813 scontext=root:system_r:virtd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1205762763.135:188): avc:  denied  { read } for  pid=4011
comm="lokkit" name="bash" dev=dm-0 ino=1441813 scontext=root:system_r:virtd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1205762763.135:188): avc:  denied  { execute_no_trans } for 
pid=4011 comm="lokkit" path="/bin/bash" dev=dm-0 ino=1441813
scontext=root:system_r:virtd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0
tclass=file


audit2allow suggests

require {
        type virtd_t;
}

#============= virtd_t ==============
corecmd_exec_shell(virtd_t)
files_read_usr_files(virtd_t)
 


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-16.fc9.noarch
libvirt-0.4.1-4.fc9.x86_64

How reproducible:
Always

Steps to Reproduce:
1. /etc/init.d/libvirtd stop
2. /etc/init.d/libvirtd start
3.
  
Actual results:
# /etc/init.d/libvirtd start
Starting libvirtd daemon: Traceback (most recent call last):
  File "/usr/sbin/lokkit", line 26, in <module>
    import fw_config
ImportError: No module named fw_config
Failed to run '/usr/sbin/lokkit
--custom-rules=ipv4:filter:/var/lib/libvirt/iptables/filter/INPUT.chain' :
Invalid argumentTraceback (most recent call last):
  File "/usr/sbin/lokkit", line 26, in <module>
    import fw_config
ImportError: No module named fw_config
Failed to run '/usr/sbin/lokkit
--custom-rules=ipv4:filter:/var/lib/libvirt/iptables/filter/FORWARD.chain' :
Invalid argumentTraceback (most recent call last):
  File "/usr/sbin/lokkit", line 26, in <module>
    import fw_config
ImportError: No module named fw_config
Failed to run '/usr/sbin/lokkit --custom-rules=ipv4:nat:/va[  OK 
]bvirt/iptables/nat/POSTROUTING.chain' : Invalid argument


Expected results:
Starts without error

Additional info:

Comment 1 Daniel Walsh 2008-03-17 15:14:26 UTC
Seems like it is going to need more then this if it is actually going to modify
iptables?

Comment 2 Daniel Walsh 2008-03-17 15:15:05 UTC
Rules added in selinux-policy-3.3.21.fc9

Comment 3 Daniel Berrangé 2008-03-17 15:19:49 UTC
Well, those are the only AVC messages I got when i switched to 'permissive'
mode. I'll test the new policy & report back if further rules are needed.


Comment 4 Bug Zapper 2008-05-14 06:39:33 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Dax Kelson 2008-06-10 06:38:47 UTC
I'm using F9 with all errata applied (ie, selinux-policy-3.3.1-55.fc9.noarch)
and I'm still having this problem.

host=mentorng.gurulabs.com type=AVC msg=audit(1213079217.414:67): avc: denied {
write } for pid=12992 comm="lokkit" name="iptables" dev=dm-3 ino=199343
scontext=system_u:system_r:virtd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file

host=mentorng.gurulabs.com type=SYSCALL msg=audit(1213079217.414:67):
arch=c000003e syscall=2 success=no exit=-13 a0=1bb3300 a1=241 a2=1b6
a3=7fef3cee86f0 items=0 ppid=2689 pid=12992 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lokkit"
exe="/usr/bin/python" subj=system_u:system_r:virtd_t:s0 key=(null) 

After running in permissive mode, audit2allow suggests:

#============= virtd_t ==============
allow virtd_t admin_home_t:dir read;
allow virtd_t etc_t:file { write setattr };
allow virtd_t modules_dep_t:file getattr;
allow virtd_t modules_object_t:dir read;
allow virtd_t modules_object_t:lnk_file read;
allow virtd_t src_t:dir read;

# ls -alZ /etc/sysconfig/iptables
-rw-------  root root system_u:object_r:etc_t:s0       /etc/sysconfig/iptables


Comment 6 Daniel Walsh 2008-06-10 18:47:37 UTC
I am not sure this is a great idea.  From a security point of view to allow the
virtd daemon to change the iptables rules on the host system?

Comment 7 Daniel Berrangé 2008-06-10 20:36:20 UTC
Libvirt needs to provide various forms of connectivity to guest VMs. One form is
an isolated network, which is a bridge device to which guest TAP devices are
attached, but which has no physical NIC attached. We need to add iptables rules
to stop traffic being forwarded out of the bridge.

The other form is a NAT based network, which again consists of a bridge device
with guests attached. We then add iptables rules to allow outbound traffic to
the LAN, using masquerading for traffic.

Unfortunately I don't see any alternative way to provide this functionality
which would allow for more fine grained security policy - lokkit is pretty much
an all or nothing tool, since it is soo general purpose.


Comment 8 Daniel Berrangé 2008-06-11 10:15:16 UTC
On further investigation I think use of lokkit  in libvirt should be removed
entirely. It is crazy to require the entire python stack, merely in order to
write a single plain text file. In addition lokkit does soooo many things we
don't need in libvirt - we don't want to have to allow access to such a broad
range of functionality in the selinux policy. I think it'll be preferrable to
just write the config file directly, and then we only need allow access to a
single file in the policy

Comment 9 Daniel Berrangé 2008-06-11 14:48:41 UTC

*** This bug has been marked as a duplicate of 447633 ***


Note You need to log in before you can comment on or make changes to this bug.