Bug 552763 - SELinux default policy does not allow qemu-kvm (TLS) read access to /dev/random
Summary: SELinux default policy does not allow qemu-kvm (TLS) read access to /dev/random
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-06 03:48 UTC by Michael Kearey
Modified: 2018-10-27 15:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 505016
Environment:
Last Closed: 2010-03-30 07:50:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Michael Kearey 2010-01-06 03:48:40 UTC
Description of problem:

SELinux is generating AVC error messages when trying to create (final step, after clicking Finish) or start a virtual machine, when TLS is enabled in qemu.conf and a properly configured PKI infrastructure exists.
 The AVCs point towards incorrect contexts on /dev/random, which TLS requires access to for entropy in the encryption mechanisms

Version-Release number of selected component (if applicable):
Not applicable

How reproducible:
100%

Steps to Reproduce:
1. Install a RHEL5 update 4 machine (any method)
2. Ensure SELinux is enabled (enforcing) & contexts are set correctly
3. Install kvm/qemu-kvm/virt-manager packages
4. Configure qemu/libvirt per http://virt-manager.org/page/RemoteTLS & http://libvirt.org/remote.html
5. Create a VM using virt-manager.
  
Actual results:
The VM fails to start
The vm log shows:

Fatal: no entropy gathering module detected 

An AVC message in audit.log:
type=AVC msg=audit(1258941984.816:4192): avc:  denied  { read } for  pid=7693 comm="qemu-kvm" name="random" dev=tmpfs ino=7644 scontext=user_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

Expected results:

The VM should start cleanly and access to /dev/random should be allowed for entropy to be gathered


Additional info:

We need to set up the SElinux policy to allow qemu access to both random and urandom when it is using TLS for VNC connections. The reason:

qemu-kvm uses gnutls, gnutls depends on libgcrypt. libgcrypt defaults to rndlinux as the random module.  ie as described in the documentation for gcrypt :

http://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsystem-Architecture.html

The way gcrypt works is that it tries first rndlinux - Essentially by design rndlinux needs both /dev/random and /dev/urandom available to work correctly - It guarantees that 16 bytes of entropy is gathered from urandom, the rest gathered from random.

IF rndlinux fails to access the rndlinux devices, it tries other devices, and if there are no other random device generators available it will fail with the error message:

Fatal: no entropy gathering module detected

The bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=505016 has in it a fix that could potentially be applied to RHEL 5 policy.

Comment 1 Daniel Walsh 2010-01-06 14:06:52 UTC
Miroslav the qemu and svirt policy both need this access as defined in F12.

Comment 3 Miroslav Grepl 2010-01-28 16:13:29 UTC
Fixed in selinux-policy-2.4.6-271.el5

Comment 7 errata-xmlrpc 2010-03-30 07:50:51 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.