two parts: 1)SELinux is preventing /usr/sbin/tunctl "relabelfrom" access Summary: this happens with new kernel (2.6.32.3) when booting qemu-kvm virtual machine using bridged network SELinux is preventing /usr/sbin/tunctl "relabelfrom" access. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by tunctl. It is not expected that this access is required by tunctl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0: c0.c1023 Target Context unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0: c0.c1023 Target Objects None [ tun_socket ] Source tunctl Source Path /usr/sbin/tunctl Port <Unknown> Host (removed) Source RPM Packages tunctl-1.5-4.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-69.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.3-17.fc12.x86_64 #1 SMP Tue Jan 12 04:18:27 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Wed 13 Jan 2010 09:19:07 AM CET Last Seen Wed 13 Jan 2010 03:30:54 PM CET Local ID 1c180452-be92-43b4-8d12-2b3ff3db62f8 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1263393054.857:31579): avc: denied { relabelfrom } for pid=2943 comm="tunctl" scontext=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 tclass=tun_socket node=(removed) type=AVC msg=audit(1263393054.857:31579): avc: denied { relabelto } for pid=2943 comm="tunctl" scontext=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 tclass=tun_socket node=(removed) type=SYSCALL msg=audit(1263393054.857:31579): arch=c000003e syscall=16 success=no exit=-16 a0=3 a1=400454ca a2=7fffb7ba65d0 a3=3 items=0 ppid=2939 pid=2943 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="tunctl" exe="/usr/sbin/tunctl" subj=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 key=(null) ---------------------------------- 2) SELinux is preventing /usr/bin/qemu-kvm "create" access. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by qemu-kvm. It is not expected that this access is required by qemu-kvm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0: c0.c1023 Target Context unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0: c0.c1023 Target Objects None [ tun_socket ] Source qemu-kvm Source Path /usr/bin/qemu-kvm Port <Unknown> Host (removed) Source RPM Packages qemu-system-x86-0.11.0-12.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-69.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.3-17.fc12.x86_64 #1 SMP Tue Jan 12 04:18:27 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 13 Jan 2010 09:19:07 AM CET Last Seen Wed 13 Jan 2010 03:30:54 PM CET Local ID 18558d54-3a13-4b9e-b2a1-10efd2c1f894 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1263393054.775:31574): avc: denied { create } for pid=2938 comm="qemu-kvm" scontext=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 tclass=tun_socket node=(removed) type=SYSCALL msg=audit(1263393054.775:31574): arch=c000003e syscall=16 success=yes exit=0 a0=7 a1=400454ca a2=7fffc75d8f30 a3=7fffc75d7ec0 items=0 ppid=2934 pid=2938 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts11 ses=1 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:qemu_unconfined_t:s0-s0:c0.c1023 key=(null) ------------------------------ this does not happen with old kernel ---------------------- qemu-ifup script: #!/bin/sh set -x switch=br0 if [ -n "$1" ];then /usr/bin/sudo /usr/sbin/tunctl -u root -t $1 /usr/bin/sudo /sbin/ip link set $1 up sleep 0.5s /usr/bin/sudo /usr/sbin/brctl addif $switch $1 exit 0 else echo "Error: no interface specified" exit 1 fi
Miroslav Another bug reported the same problem. Unconfined domains need to be able to deal with tun_socket allow $1 self:socket_class_set create_socket_perms;
This change was added to -69 release. But we also need to add 'tun_socket' to socket_class_set.
Shoot I missed that, good catch.
Fixed in selinux-policy-3.6.32-71.fc12
selinux-policy-3.6.32-73.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-73.fc12
selinux-policy-3.6.32-73.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0858
selinux-policy-3.6.32-73.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.