Bug 484340 - Creating new virtual networks via virt-manager causes SELinux violations
Creating new virtual networks via virt-manager causes SELinux violations
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: libvirt (Show other bugs)
5.3
x86_64 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Veillard
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-06 05:02 EST by Nik Lam
Modified: 2009-12-14 16:23 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 05:23:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nik Lam 2009-02-06 05:02:46 EST
Description of problem:
SELinux AVC denial generated when creating a new virtual network as per
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Virtualization_Guide/sect-Virtualization-Managing_guests_with_Virtual_Machine_Managervirt_manager-Creating_a_virtual_network.html

As soon as the virtual network is created, three sets of AVC denials are reported. Similar reports are generated when the virtual network is stopped.

N.B. my host is a multi-homed RHEL5 Desktop system.



Version-Release number of selected component (if applicable):
   virt-manager-0.5.3-10.el5.x86_64

How reproducible:
  Always.

Steps to Reproduce:
1. Follow the above URL to create a new virtual network with NAT access to all physical interfaces. The denials will occur.
2. Once the network is created, stop it. The denials will occur again.
  
Actual results:
AVC denials occur.


Expected results:
No AVC denials.


Additional info:

Denial 1:
========

Summary:

SELinux is preventing iptables (iptables_t) "read write" to /proc/xen/privcmd
(proc_xen_t).

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /proc/xen/privcmd,

restorecon -v '/proc/xen/privcmd'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:iptables_t
Target Context                system_u:object_r:proc_xen_t
Target Objects                /proc/xen/privcmd [ file ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          chipolata.med.usyd.edu.au
Source RPM Packages           iptables-1.3.5-4.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     chipolata.med.usyd.edu.au
Platform                      Linux chipolata.med.usyd.edu.au 2.6.18-128.el5xen
                              #1 SMP Wed Dec 17 12:01:40 EST 2008 x86_64 x86_64
Alert Count                   120
First Seen                    Fri 06 Feb 2009 08:33:25 PM EST
Last Seen                     Fri 06 Feb 2009 08:52:17 PM EST
Local ID                      4668f85d-22b8-446d-b73f-d8912d930e5c
Line Numbers                  

Raw Audit Messages            

host=chipolata.med.usyd.edu.au type=AVC msg=audit(1233913937.858:1533): avc:  denied  { read write } for  pid=30368 comm="iptables" path="/proc/xen/privcmd" dev=proc ino=4026534886 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:proc_xen_t:s0 tclass=file

host=chipolata.med.usyd.edu.au type=SYSCALL msg=audit(1233913937.858:1533): arch=c000003e syscall=59 success=yes exit=0 a0=4f05610 a1=4ebd660 a2=7fff2d7882d0 a3=0 items=0 ppid=3040 pid=30368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)




Denial 2:
=========

Summary:

SELinux is preventing brctl (brctl_t) "read write" to /proc/xen/privcmd
(proc_xen_t).

Detailed Description:

SELinux denied access requested by brctl. It is not expected that this access is
required by brctl and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /proc/xen/privcmd,

restorecon -v '/proc/xen/privcmd'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:brctl_t
Target Context                system_u:object_r:proc_xen_t
Target Objects                /proc/xen/privcmd [ file ]
Source                        brctl
Source Path                   /usr/sbin/brctl
Port                          <Unknown>
Host                          chipolata.med.usyd.edu.au
Source RPM Packages           bridge-utils-1.1-2
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     chipolata.med.usyd.edu.au
Platform                      Linux chipolata.med.usyd.edu.au 2.6.18-128.el5xen
                              #1 SMP Wed Dec 17 12:01:40 EST 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 06 Feb 2009 08:33:25 PM EST
Last Seen                     Fri 06 Feb 2009 08:51:12 PM EST
Local ID                      2242dc55-5009-4390-ae1f-3275f4f6c4ee
Line Numbers                  

Raw Audit Messages            

host=chipolata.med.usyd.edu.au type=AVC msg=audit(1233913872.167:1486): avc:  denied  { read write } for  pid=30076 comm="brctl" path="/proc/xen/privcmd" dev=proc ino=4026534886 scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:proc_xen_t:s0 tclass=file

host=chipolata.med.usyd.edu.au type=SYSCALL msg=audit(1233913872.167:1486): arch=c000003e syscall=59 success=yes exit=0 a0=4f02b10 a1=4eb5280 a2=7fff2d7882d0 a3=0 items=0 ppid=3040 pid=30076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:brctl_t:s0 key=(null)

Denial 3
========

Summary:

SELinux is preventing dnsmasq (dnsmasq_t) "read write" to /proc/xen/privcmd
(proc_xen_t).

Detailed Description:

SELinux denied access requested by dnsmasq. It is not expected that this access
is required by dnsmasq and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /proc/xen/privcmd,

restorecon -v '/proc/xen/privcmd'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:dnsmasq_t
Target Context                system_u:object_r:proc_xen_t
Target Objects                /proc/xen/privcmd [ file ]
Source                        dnsmasq
Source Path                   /usr/sbin/dnsmasq
Port                          <Unknown>
Host                          chipolata.med.usyd.edu.au
Source RPM Packages           dnsmasq-2.45-1.el5_2.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     chipolata.med.usyd.edu.au
Platform                      Linux chipolata.med.usyd.edu.au 2.6.18-128.el5xen
                              #1 SMP Wed Dec 17 12:01:40 EST 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Fri 06 Feb 2009 08:33:25 PM EST
Last Seen                     Fri 06 Feb 2009 08:51:12 PM EST
Local ID                      21d461b6-b071-405b-9778-6e7afab717c8
Line Numbers                  

Raw Audit Messages            

host=chipolata.med.usyd.edu.au type=AVC msg=audit(1233913872.259:1507): avc:  denied  { read write } for  pid=30101 comm="dnsmasq" path="/proc/xen/privcmd" dev=proc ino=4026534886 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:proc_xen_t:s0 tclass=file

host=chipolata.med.usyd.edu.au type=SYSCALL msg=audit(1233913872.259:1507): arch=c000003e syscall=59 success=yes exit=0 a0=4f04e90 a1=4f024d0 a2=7fff2d7882d0 a3=0 items=0 ppid=3040 pid=30101 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null)
Comment 2 Cole Robinson 2009-02-13 14:31:31 EST
This isn't specific to virt-manager, since libvirt/xen are dispatching all this work. I'm not totally sure what to do, reassigning to selinux-policy and we can work from there.
Comment 3 Daniel Walsh 2009-02-16 13:02:17 EST
This looks like a leaked file descriptor to /proc/xen/privcmd

I am pretty sure, brctl_t,dnsmasq_t, iptables_t  know nothing about this file.

Whoever is opening this file should be closing it on exec.  libvirt? xen?
Comment 4 Daniel Berrange 2009-02-17 04:40:30 EST
Yes indeed, this looks like a missing close-on-exec flag. Latest libvirt has changed to explicitly close all file descriptors upon exec. So the rebase of libvirt in 5.4 should fix this problem. I'll leave this open until we actually get the rebase done.
Comment 6 Daniel Veillard 2009-06-05 14:46:01 EDT
The close on exec fixes were actually included as part of the 0.6.3 rebase,
so the fix should be in the current build,

Daniel
Comment 9 Nan Zhang 2009-07-06 03:09:57 EDT
No AVC denials occurs. Verified with libvirt 0.6.3-13.el5 on RHEL-5.4.


[root@dhcp-66-70-66 ~]# getenforce
Enforcing

[root@dhcp-66-70-66 ~]# virsh net-define network.xml
Network virnet1 defined from network.xml

[root@dhcp-66-70-66 ~]# virsh net-start virnet1
Network virnet1 started

[root@dhcp-66-70-66 ~]# virsh net-list --all
Name                 State      Autostart
-----------------------------------------
default              active     yes
virnet1              active     no

[root@dhcp-66-70-66 ~]# virsh net-dumpxml virnet1
<network>
  <name>virnet1</name>
  <uuid>ac46e759-b0ea-9054-318c-b3fd6583b44a</uuid>
  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' forwardDelay='0' />
  <ip address='192.168.132.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.132.2' end='192.168.132.254' />
    </dhcp>
  </ip>
</network>

[root@dhcp-66-70-66 ~]# ifconfig virbr1
virbr1    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:192.168.132.1  Bcast:192.168.132.255  Mask:255.255.255.0
          inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:468 (468.0 b)
Comment 11 errata-xmlrpc 2009-09-02 05:23:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1269.html

Note You need to log in before you can comment on or make changes to this bug.