Bug 496867 - SELinux issue causing libvirtd launched dnsmasq to fail
SELinux issue causing libvirtd launched dnsmasq to fail
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
medium Severity medium
: alpha
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-21 10:04 EDT by Alan Pevec
Modified: 2012-10-15 10:01 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 484199
Environment:
Last Closed: 2009-09-02 03:58:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alan Pevec 2009-04-21 10:04:39 EDT
libvirt is rebased in RHEL5.4, so need this fix in the RHEL5 selinux-policy

+++ This bug was initially created as a clone of Bug #484199 +++

This is rawhide with:

  libvirt-0.6.0-1.fc11.x86_64
  selinux-policy-3.6.3-12.fc11.noarch

default network isn't running after boot, trying to manually start it:

# virsh net-start default
libvir: error : internal error '/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file=  --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254' exited with non-zero status 3 and signal 0: 
dnsmasq: failed to open pidfile /var/run/libvirt/network/default.pid: Permission denied
error: Failed to start network default

AVC denied:

type=AVC msg=audit(1233834788.296:56): avc:  denied  { search } for  pid=4016 comm="dnsmasq" name="libvirt" dev=dm-0 ino=1810670 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

Trying again in permissive mode, it starts but with these additional AVCs:

type=AVC msg=audit(1233835237.160:58): avc:  denied  { search } for  pid=4060 comm="dnsmasq" name="libvirt" dev=dm-0 ino=1810670 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1233835237.160:58): avc:  denied  { write } for  pid=4060 comm="dnsmasq" name="network" dev=dm-0 ino=1927185 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1233835237.160:58): avc:  denied  { add_name } for  pid=4060 comm="dnsmasq" name="default.pid" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=AVC msg=audit(1233835237.160:58): avc:  denied  { create } for  pid=4060 comm="dnsmasq" name="default.pid" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1233835237.160:58): avc:  denied  { write open } for  pid=4060 comm="dnsmasq" name="default.pid" dev=dm-0 ino=548891 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file
type=AVC msg=audit(1233835237.197:59): avc:  denied  { getattr } for  pid=4060 comm="dnsmasq" path="/var/run/libvirt/network/default.pid" dev=dm-0 ino=548891 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file

--- Additional comment from markmc@redhat.com on 2009-02-05 07:35:41 EDT ---

Just tried 0.6.0 from update-testing on F10 and confirmed it has the same issue

--- Additional comment from berrange@redhat.com on 2009-02-05 07:44:12 EDT ---

This is probably caused by the change in the way we launch DNSMASQ in libvirt 0.6.0

We now let it daemonize itself, and write out a PIDfile.

Specifically

  --pidfile /var/run/libvirt/network/$NMAE.pid

So we likely need to add  /var/run/libvirt/network to the SELinux policy for DNSMASQ to be able to write to

--- Additional comment from markmc@redhat.com on 2009-02-06 03:25:15 EDT ---

*** Bug 484292 has been marked as a duplicate of this bug. ***

--- Additional comment from berrange@redhat.com on 2009-02-06 05:36:39 EDT ---

Changing to SELinux policy component, since I reckon we just need to add the dir i mention in comment #2

--- Additional comment from markmc@redhat.com on 2009-02-06 05:52:48 EDT ---

dwalsh: note, this is filed against rawhide but exists in F9 and F10 updates-testing too

--- Additional comment from dwalsh@redhat.com on 2009-02-06 11:38:22 EDT ---

Miroslav, Just add 

virt_manage_pid_files(dnsmasq_t) for F9 and F10.

Can you add /var/run/libvirt/network to the libvirt spec file and then we can label it as such only dnsmasq can write to it.

--- Additional comment from dwalsh@redhat.com on 2009-02-06 11:40:09 EDT ---

I can then add /var/run/libvirt/network(/.*)? 	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)

--- Additional comment from berrange@redhat.com on 2009-02-06 14:16:02 EDT ---

One step ahead of you about the having the directory in libvirt RPM ! We have added it to the 0.6.0-1 RPM in Fedora

# rpm -qf /var/run/libvirt/network/
libvirt-0.6.0-1.fc10.x86_64

--- Additional comment from markmc@redhat.com on 2009-02-13 13:17:22 EDT ---

Also fixed by selinux-policy-3.5.13-45.fc10, right ?

--- Additional comment from mgrepl@redhat.com on 2009-02-16 04:29:25 EDT ---

Yes, it is.
Comment 1 Daniel Walsh 2009-04-21 10:34:43 EDT
Fixed in selinux-policy-2.4.6-226.el5
Comment 2 Alan Pevec 2009-04-21 10:47:03 EDT
> Can you add /var/run/libvirt/network to the libvirt spec file

# rpm -q libvirt
libvirt-0.6.2-1.el5.x86_64
# rpm -qf /var/run/libvirt/network/
file /var/run/libvirt/network is not owned by any package

This is in Fedora but not in RHEL5 spec:
%dir %{_localstatedir}/run/libvirt/network/
Comment 4 Daniel Veillard 2009-04-22 05:45:15 EDT
w.r.t. #2 I will add this when I push libvirt 0.6.3 on Friday,
thanks for the heads-up !

Daniel
Comment 7 Daniel Veillard 2009-04-24 13:20:48 EDT
libvirt-0.6.3-1.el5 has been built into dist-5E-qu-candidate
and should fix the issue:

shell:/mnt/redhat/brewroot/packages/libvirt/0.6.3/1.el5 -> rpm -qlp ./x86_64/libvirt-0.6.3-1.el5.x86_64.rpm | grep run/libvirt/network
/var/run/libvirt/network
shell:/mnt/redhat/brewroot/packages/libvirt/0.6.3/1.el5 -> 

Daniel
Comment 8 Alexander Todorov 2009-05-08 08:51:03 EDT
Hi,
with selinux-policy-2.4.6-229.el5

# rpm -qf /var/run/libvirt/network/
libvirt-0.6.3-2.el5

I still see this issue:

avc:  denied  { search } for  pid=20643 comm="dnsmasq" name="libvirt" dev=dm-0 ino=21856268 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1241787018.083:43): arch=40000003 syscall=5 success=no exit=-13 a0=94438a8 a1=8241 a2=1b6 a3=9448878 items=0 ppid=20642 pid=20643 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null)


I'm running virt-manager in GUI mode.
Comment 9 Daniel Walsh 2009-05-08 09:20:56 EDT
Fixed in selinux-policy-2.4.6-232.el5
Comment 14 errata-xmlrpc 2009-09-02 03:58:41 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html

Note You need to log in before you can comment on or make changes to this bug.