Description of problem: node=worm.elk type=AVC msg=audit(1250325731.752:31303): avc: denied { getattr } for pid=1530 comm="libvirtd" path="/etc/modprobe.conf" dev=dm-1 ino=79504 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file node=worm.elk type=SYSCALL msg=audit(1250325731.752:31303): arch=c000003e syscall=5 success=yes exit=0 a0=e a1=7f642128c760 a2=7f642128c760 a3=2001 items=0 ppid=1 pid=1530 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): libvirt-0.7.0-4.fc12.x86_64 selinux-policy-targeted-3.6.26-11.fc12.noarch How reproducible: Not sure Steps to Reproduce: 1.I just started virt-manager and completed the PolicyKit dialog
This seems to happen when connecting to libvirtd for the first time after it's been started.
I couldn't reproduce this at first because I had no modprobe.conf It turns out this is netcf loading these files using augeas, because netcf's bonding support may require it to add a 'alias bond0 bonding' entry in modprobe.conf or /etc/modprobe.d/netcf.conf The full list of files that netcf loads via augeas: /etc/sysconfig/network-scripts/ifcfg-* /etc/sysconfig/iptables /etc/modprobe.d/* /etc/modprobe.conf /etc/sysconfig/system-config-firewall /sys/class/net/*/address It also may run /usr/sbin/lokkit dwalsh, eparis, mgrepl: can we get F-12/F-11 selinux-policy updated for this?
Ewww, i really don't much like the idea of libvirt modifying modprobe.conf config files. Is there really no way to setup bonding just using the ifcfg-XXXX scripts I'm also wondering why it needs to touch iptables files just in order to configure a network interface.
> Ewww, i really don't much like the idea of libvirt modifying modprobe.conf > config files. Is there really no way to setup bonding just using the ifcfg-XXXX > scripts According to bz 202443, bonding setup should work without the alias in modprobe.conf, though when I tried that, it didn't work, and notting recommended using the alias. I'll look into it again. > I'm also wondering why it needs to touch iptables files just in order to > configure a network interface. To very gingerly add the rule '-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT' into either /etc/sysconfig/iptables or s-c-firewall, depending on what seems to be used.
FYI That iptables rule would only be required if net.bridge.bridge-nf-call-iptables=1. Latest recommendation from Herbert is to never set this to 1, because that is a potential security problem, if certain other iptables features are used in connection with virtual machines. As of F12, Fedora is thus defaulting to 0 for this sysctl, and so the iptables rules shouldn't be neccessary AFAICT.
(In reply to comment #4) > > Ewww, i really don't much like the idea of libvirt modifying modprobe.conf > > config files. Is there really no way to setup bonding just using the ifcfg-XXXX > > scripts > > According to bz 202443, bonding setup should work without the alias in > modprobe.conf, though when I tried that, it didn't work, and notting > recommended using the alias. I'll look into it again. Obviously, if you can't get it to work soon, we need to get the policy changed to allow libvirtd modify modprobe.conf
I posted patches to keep netcf from loading /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall when net.bridge.bridge-nf-call-iptables=0 (it still modifies iptables when that is 1, under the assumption that there was an important reason to pass bridge packets through iptables) There does not seem to be a solution to the modprobe issue. network-functions needs the alias in the modprobe config to know that it has to load the bonding dirver for bond0. We therefore need the policy changed so that netcf/libvirt can modify modprobe config.
dwalsh: just to be clear, we need the policy changed so that ncftool and libvirt can read/write the files /etc/modprobe.conf and /etc/modprobe.d/* For /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall, we only need read/write access in exceptional situations (net.bridge.bridge-nf-call-iptables=1) Should that become a boolean ? Do you want me to file a separate BZ for that ?
(In reply to comment #8) > For /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall, we only > need read/write access in exceptional situations > (net.bridge.bridge-nf-call-iptables=1) Should that become a boolean ? > > Do you want me to file a separate BZ for that ? Yeah, please file a separate bug for the iptables stuff
Giving libvirt this access is fine. I just do not want to give any qemu these privs. My view of the world is the bad guy is the qemu process. libvirt is pretty much a very privledged process.
Handling the editing of /etc/sysconfig/iptables and /etc/sysconfig/system-config-firewall Is going to be a pain in the butt I wish these things were in their own directory.
See bug #523766 - I think we have everthing covered now with selinux-policy-3.6.32-1.fc12