Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 704274

Summary:	Virtual machine environments transition to qemu_t
Product:	Red Hat Enterprise Linux 6	Reporter:	Ramon de Carvalho Valle <rcvalle>
Component:	selinux-policy	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED WONTFIX	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	6.3	CC:	dwalsh, iboverma, jwest, mgrepl, sforsber
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-07-20 09:19:42 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ramon de Carvalho Valle 2011-05-12 16:26:07 UTC

Description of problem:
I've just noticed that there is no rule explicitly defined for virtd_t transition to svirt_t-there is one for virt_domain-, only for qemu_t. Note that the libvirt daemon executes with virtd_t type, and the qemu-kvm has qemu_exec_t type, which has an automatic transition rule to qemu_t defined.

[root/sysadm_r/SystemLow@ntc242 ~]# sesearch -s virtd_t -c process -p transition --allow
Found 13 semantic av rules:
   allow virtd_t iptables_t : process transition ;
   allow virtd_t ifconfig_t : process transition ;
   allow virtd_t initrc_t : process { transition sigchld } ;
   allow virtd_t lvm_t : process transition ;
   allow virtd_t qemu_t : process { transition sigkill signal setsched } ;
   allow virtd_t dnsmasq_t : process { transition sigkill signull signal } ;
   allow virtd_t virt_domain : process { transition sigkill signull signal getsched setsched getattr } ;
   allow domain lspp_harness_t : process transition ;
   allow virtd_t brctl_t : process transition ;
   allow virtd_t udev_t : process transition ;
   allow virtd_t dmidecode_t : process transition ;
   allow virtd_t policykit_resolve_t : process transition ;
   allow virtd_t policykit_auth_t : process transition ;

[root/sysadm_r/SystemLow@ntc242 ~]#

Currently, no matter which role or type starts a virtual machine environment, the new process transition to qemu_t.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 3 Miroslav Grepl 2011-05-16 14:19:15 UTC

This is a problem with dynamic labeling. You should use static labels on MLS.

Comment 4 Ramon de Carvalho Valle 2011-05-16 14:30:27 UTC

This also happens in Targeted policy.

Comment 6 Miroslav Grepl 2011-05-17 10:50:34 UTC

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

# rpm -qa \*selinux-policy\*
selinux-policy-minimum-3.7.19-93.el6.noarch
selinux-policy-mls-3.7.19-93.el6.noarch
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
selinux-policy-doc-3.7.19-79.el6.noarch


# ps -eZ |grep libvirt
system_u:system_r:virtd_t:s0-s0:c0.c1023 1831 ? 00:00:00 libvirtd

# ls -Z /var/lib/libvirt/images/Fedora14.img 
-rw-------. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images/Fedora14.img

# virsh start Fedora15
# ps -eZ |grep svirt
system_u:system_r:svirt_t:s0:c523,c614 3070 ?  00:00:14 qemu-kvm

# ls -lZ /var/lib/libvirt/images/Fedora14.img 
-rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c523,c614 /var/lib/libvirt/images/Fedora14.img


# virsh list
 Id Name                 State
----------------------------------
  3 Fedora15             running

# cat /etc/selinux/targeted/contexts/virtual_domain_context 
system_u:system_r:svirt_t:s0

Comment 7 Miroslav Grepl 2011-05-17 12:17:53 UTC

MLS with static labeling:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        mls

# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023

# ps -eZ |grep virt
system_u:system_r:virtd_t:s0-s15:c0.c1023 1788 ? 00:00:00 libvirtd

# ls -lZ /var/lib/libvirt/images/Fedora14.img 
-rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c523,c614 /var/lib/libvirt/images/Fedora14.img

# grep -C 1 seclabel /etc/libvirt/qemu/Fedora15.xml 
  </devices>
  <seclabel type='static' model='selinux'>
    <label>system_u:system_r:svirt_t:s0:c523,c614</label>
  </seclabel>
</domain>

# ps -eZ |grep qemu
system_u:system_r:svirt_t:s0:c523,c614 2649 ?  00:08:08 qemu-kvm

Comment 8 Ramon de Carvalho Valle 2011-05-17 12:40:33 UTC

Please, see the question marks.

[root/sysadm_r/SystemLow@ntc242 ~]# id -Z
staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow@ntc242 ~]# rpm -qa \*selinux-policy\* (?)
bash: /bin/rpm: Permission denied
[root/sysadm_r/SystemLow@ntc242 ~]# setenforce 0 
[root/sysadm_r/SystemLow@ntc242 ~]# rpm -qa \*selinux-policy\*
selinux-policy-targeted-3.7.19-92.el6.noarch
selinux-policy-3.7.19-92.el6.noarch
selinux-policy-mls-3.7.19-92.el6.noarch
[root/sysadm_r/SystemLow@ntc242 ~]# setenforce 1
[root/sysadm_r/SystemLow@ntc242 ~]# ps -C libvirtd -o label=system_u:system_r:virtd_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow@ntc242 ~]# stat -c %C /var/lib/libvirt/images/KVM-Guest-1.img 
system_u:object_r:virt_image_t:SystemLow
[root/sysadm_r/SystemLow@ntc242 ~]# virsh start KVM-Guest-1
error: Failed to start domain KVM-Guest-1
error: unable to set security context 'system_u:object_r:virt_image_t:s0:c83,c228' on '/var/lib/libvirt/images/KVM-Guest-1.img': Operation not permitted

[root/sysadm_r/SystemLow@ntc242 ~]# setenforce 0
[root/sysadm_r/SystemLow@ntc242 ~]# virsh start KVM-Guest-1
Domain KVM-Guest-1 started

[root/sysadm_r/SystemLow@ntc242 ~]# ps -C qemu-kvm -o label=
system_u:system_r:qemu_t:s0:c650,c1000 (?)
[root/sysadm_r/SystemLow@ntc242 ~]# 

[...]

[root/secadm_r/SystemLow@ntc242 kvm]# grep denied /var/log/audit/audit.log 

[...]

type=AVC msg=audit(1305614959.613:8407): avc:  denied  { relabelfrom } for  pid=13586 comm="libvirtd" name="KVM-Guest-1.img" dev=dm-0 ino=136407 scontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SELINUX_ERR msg=audit(1305614959.613:8407): security_validate_transition:  denied for oldcontext=system_u:object_r:default_t:s0 newcontext=system_u:object_r:virt_image_t:s0:c650,c1000 taskcontext=system_u:system_r:virtd_t:s0-s15:c0.c1023 tclass=file
type=AVC msg=audit(1305614959.736:8411): avc:  denied  { write } for  pid=13711 comm="qemu-kvm" path="/dev/vhost-net" dev=devtmpfs ino=10791 scontext=system_u:system_r:qemu_t:s0:c650,c1000 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file
[root/secadm_r/SystemLow@ntc242 kvm]#

Comment 9 Miroslav Grepl 2011-05-19 16:20:40 UTC

You still use dynamic labeling on MLS. 

Could you try to setup label on your image using "chcon". For example the label which I have on my image

# ls -lZ /var/lib/libvirt/images/Fedora14.img 
-rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c523,c614
/var/lib/libvirt/images/Fedora14.img

and add to xml this section

# grep -C 1 seclabel /etc/libvirt/qemu/Fedora15.xml 
  </devices>
  <seclabel type='static' model='selinux'>
    <label>system_u:system_r:svirt_t:s0:c523,c614</label>
  </seclabel>
</domain>

Comment 10 Ramon de Carvalho Valle 2011-05-19 16:35:45 UTC

Yes. It will work because with static labelling you are explicitly setting the domain to svirt_t in the XML file. However, by default, it is transitioning to qemu_t, it is no due to the fact that I am using dynamic labelling, it is a MLS policy problem.

Comment 11 Miroslav Grepl 2011-07-20 09:19:42 UTC

I am closin this bug per mailing list communication.