Bug 477187 - selinux policy requires ISO images to be virt_image_t
selinux policy requires ISO images to be virt_image_t
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-12-19 10:09 EST by Jeff Bastian
Modified: 2009-08-04 11:08 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-08-04 11:08:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeff Bastian 2008-12-19 10:09:57 EST
Description of problem:
I'm trying to create a KVM virtual machine under Fedora 10.  I'm using virt-manager.  I pointed it an ISO image of RHEL 5.1, and when the install tried to start, SELinux blocked it, and setroubleshooter told me that the ISO image needs to be virt_image_t.

Obviously, the ISO file is not the virtual machine disk image, so it shouldn't matter what type ths ISO file is.  It's currently default_t:

$ ls -Z RHEL5.1-Client-20071017.0-x86_64-DVD.iso
-rw-r--r--  jbastian jbastian system_u:object_r:default_t:s0   RHEL5.1-Client-20071017.0-x86_64-DVD.iso

/var/log/messages contains
Dec 19 08:45:44 tarantula setroubleshoot: SELinux is preventing qemu (qemu-kvm)"read" to ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso (default_t). For complete SELinux messages. run sealert -l 69452186-cf86-4caf-b372-3ffb4e250c0b          

Full sealert text is below.

I ran
  chcon -t virt_image_t RHEL5.1-Client-20071017.0-x86_64-DVD.iso
and that allowed me to proceed.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Try to create a virtual machine
2. Point virt-manager at an ISO file for the installation source
Actual results:
SELinux prevents the install from happening.

Expected results:
Install can use the ISO file with default_t or any other type, e.g., user_home_t if the ISO is in my home dir.

Additional info:

$ sudo sealert -l 69452186-cf86-4caf-b372-3ffb4e250c0b                        

SELinux is preventing qemu (qemu-kvm) "read" to ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso (default_t).

Detailed Description:

SELinux denied qemu access to ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso. If
this is a virtualization image, it has to have a file context label of      
virt_image_t. The system is setup to label image files in                   
directory./var/lib/libvirt/images correctly. We recommend that you copy your
image file to /var/lib/libvirt/images. If you really want to have your qemu 
image files in the current directory, you can relabel                       
./RHEL5.1-Client-20071017.0-x86_64-DVD.iso to be virt_image_t using chcon. You
also need to execute semanage fcontext -a -t virt_image_t                     
'./RHEL5.1-Client-20071017.0-x86_64-DVD.iso' to add this new path to the system
defaults. If you did not intend to use                                         
./RHEL5.1-Client-20071017.0-x86_64-DVD.iso as a qemu image it could indicate   
either a bug or an intrusion attempt.                                          

Allowing Access:

You can alter the file context by executing chcon -t virt_image_t
'./RHEL5.1-Client-20071017.0-x86_64-DVD.iso' You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t virt_image_t

Fix Command:

chcon -t virt_image_t './RHEL5.1-Client-20071017.0-x86_64-DVD.iso'

Additional Information:

Source Context                system_u:system_r:qemu_t:s0
Target Context                system_u:object_r:default_t:s0
Target Objects                ./RHEL5.1-Client-20071017.0-x86_64-DVD.iso [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/qemu-kvm
Port                          <Unknown>
Host                          tarantula.localdomain
Source RPM Packages           kvm-74-6.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   qemu_file_image
Host Name                     tarantula.localdomain
Platform                      Linux tarantula.localdomain
                     #1 SMP Mon Dec 1 22:21:35
                              EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri Dec 19 08:45:44 2008
Last Seen                     Fri Dec 19 08:45:44 2008
Local ID                      69452186-cf86-4caf-b372-3ffb4e250c0b
Line Numbers

Raw Audit Messages

node=tarantula.localdomain type=AVC msg=audit(1229697944.194:176): avc:  denied { read } for  pid=3906 comm="qemu-kvm" name="RHEL5.1-Client-20071017.0-x86_64-DVD.iso" dev=dm-1 ino=3154201 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file

node=tarantula.localdomain type=SYSCALL msg=audit(1229697944.194:176): arch=c000003e syscall=2 success=no exit=-13 a0=7fffa2b01310 a1=0 a2=1a4 a3=30a276da70 items=0 ppid=2629 pid=3906 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-12-19 11:56:20 EST
We need a way to separate the installation of a image from the actual running of an image.

The problem right now when libvirtd runs an install it call qemu to do the install.  It also calls qemu when it runs an image.  Since we want to lock down the running of an image we need to change this behaviour some how.

A couple of choices to fix this.  

Execute an intemediary script or program to do the install.

libvirtd->virtd_install.sh-> qemu

Then I could label virtd_install.sh as virt_install_t and not transition to qemu_t when doing an install.

Another thing we could do is have libvirtd call (pseudo code)

con = getcon()
exec(qemu) for install

Which would stop the transition from happening on an install.
Comment 2 Stijn Hoop 2009-02-16 10:55:21 EST
Seeing this as well. Are you sure this is only a problem during install? I might want to "insert" a different CD (a.k.a. connect a different .iso file) while running a VM, let's say the next Fedora installation DVD I've just downloaded as a normal user over the internet?
Comment 3 Daniel Berrange 2009-08-04 11:08:14 EDT
In Fedora 11  we introduced more advanced SELinux support into libvirt, known as 'sVirt'. With this, libvirtd will automatically relabel ISO images & diskl images to virt_image_t when required.  This new code is too invasive to consider backporting to Fedora 10, so I'm closing this WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.