Bug 552763 - SELinux default policy does not allow qemu-kvm (TLS) read access to /dev/random
SELinux default policy does not allow qemu-kvm (TLS) read access to /dev/random
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-05 22:48 EST by Michael Kearey
Modified: 2012-10-15 10:44 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 505016
Environment:
Last Closed: 2010-03-30 03:50:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Michael Kearey 2010-01-05 22:48:40 EST
Description of problem:

SELinux is generating AVC error messages when trying to create (final step, after clicking Finish) or start a virtual machine, when TLS is enabled in qemu.conf and a properly configured PKI infrastructure exists.
 The AVCs point towards incorrect contexts on /dev/random, which TLS requires access to for entropy in the encryption mechanisms

Version-Release number of selected component (if applicable):
Not applicable

How reproducible:
100%

Steps to Reproduce:
1. Install a RHEL5 update 4 machine (any method)
2. Ensure SELinux is enabled (enforcing) & contexts are set correctly
3. Install kvm/qemu-kvm/virt-manager packages
4. Configure qemu/libvirt per http://virt-manager.org/page/RemoteTLS & http://libvirt.org/remote.html
5. Create a VM using virt-manager.
  
Actual results:
The VM fails to start
The vm log shows:

Fatal: no entropy gathering module detected 

An AVC message in audit.log:
type=AVC msg=audit(1258941984.816:4192): avc:  denied  { read } for  pid=7693 comm="qemu-kvm" name="random" dev=tmpfs ino=7644 scontext=user_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

Expected results:

The VM should start cleanly and access to /dev/random should be allowed for entropy to be gathered


Additional info:

We need to set up the SElinux policy to allow qemu access to both random and urandom when it is using TLS for VNC connections. The reason:

qemu-kvm uses gnutls, gnutls depends on libgcrypt. libgcrypt defaults to rndlinux as the random module.  ie as described in the documentation for gcrypt :

http://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsystem-Architecture.html

The way gcrypt works is that it tries first rndlinux - Essentially by design rndlinux needs both /dev/random and /dev/urandom available to work correctly - It guarantees that 16 bytes of entropy is gathered from urandom, the rest gathered from random.

IF rndlinux fails to access the rndlinux devices, it tries other devices, and if there are no other random device generators available it will fail with the error message:

Fatal: no entropy gathering module detected

The bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=505016 has in it a fix that could potentially be applied to RHEL 5 policy.
Comment 1 Daniel Walsh 2010-01-06 09:06:52 EST
Miroslav the qemu and svirt policy both need this access as defined in F12.
Comment 3 Miroslav Grepl 2010-01-28 11:13:29 EST
Fixed in selinux-policy-2.4.6-271.el5
Comment 7 errata-xmlrpc 2010-03-30 03:50:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.