692145 – permissive MLS: AVC appears when starting libvirtd service

Bug 692145 - permissive MLS: AVC appears when starting libvirtd service

Summary: permissive MLS: AVC appears when starting libvirtd service

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-30 14:32 UTC by Milos Malik
Modified:	2011-03-31 19:49 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-03-31 19:49:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milos Malik 2011-03-30 14:32:09 UTC

Description of problem:
found by accident

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-80.el6.noarch
selinux-policy-doc-3.7.19-80.el6.noarch
selinux-policy-3.7.19-80.el6.noarch
selinux-policy-targeted-3.7.19-80.el6.noarch
selinux-policy-minimum-3.7.19-80.el6.noarch

How reproducible:
always

Steps to Reproduce:
(the kernel booted up with enforcing=0, root is logged in via console)
# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
# runlevel 
S 3
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        mls
# run_init service libvirtd status
Authenticating root.
Password: 
libvirtd is stopped
# run_init service libvirtd start
Authenticating root.
Password: 
Starting libvirtd daemon: [  OK  ]
Bridge firewalling registered
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk>
device virbr0-nic entered promiscuous mode
virbr0: starting userspace STP failed, starting kernel STP
ip_tables: (C) 2000-2006 Netfilter Core Team
nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
Ebtables v2.0 registered
ip6_tables: (C) 2000-2006 Netfilter Core Team
lo: Disabled Privacy Extensions
# 

Actual results:
----
time->Wed Mar 30 10:08:23 2011
type=SYSCALL msg=audit(1301494103.277:85): arch=40000003 syscall=197 success=yes exit=0 a0=2 a1=bff3b0fc a2=cffff4 a3=3 items=0 ppid=2033 pid=2045 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1301494103.277:85): avc:  denied  { getattr } for  pid=2045 comm="modprobe" path="pipe:[15441]" dev=pipefs ino=15441 scontext=system_u:system_r:insmod_t:s0-s15:c0.c1023 tcontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tclass=fifo_file
----

Expected results:
no AVCs

Comment 1 Milos Malik 2011-03-30 14:49:11 UTC

When I repeat the same procedure in enforcing mode I see no AVCs.

Comment 2 Daniel Walsh 2011-03-30 19:36:23 UTC

This looks like virtd is leaking an open file descriptor to a fifo_file.  Proabbly stdin/stdout/stderr.

Comment 3 Daniel Walsh 2011-03-31 19:49:31 UTC

I think we only care about enforcing mode.

Note You need to log in before you can comment on or make changes to this bug.