RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 752255 - libvirt fails to initialize nwfilter when /tmp is mounted with noexec option
Summary: libvirt fails to initialize nwfilter when /tmp is mounted with noexec option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt
Version: 6.2
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Eric Blake
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 752254
Blocks: RHEL62CCC 754182 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-11-08 23:34 UTC by Eric Blake
Modified: 2012-08-08 18:29 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, libvirt's implementation of nwfilter would attempt to execute a temporary file generated directly in /tmp, which would fail if /tmp is mounted noexec for security reasons. The implementation of nwfilter has been improved to avoid the need for a temporary file altogether, which removed the need for libvirt to modify or use files in /tmp.
Clone Of: 752254
Environment:
Last Closed: 2012-06-20 06:36:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0748 0 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2012-06-19 19:31:38 UTC

Description Eric Blake 2011-11-08 23:34:17 UTC 
Cloning to RHEL 6.  I also have to wonder if the Common Criteria folks might be interested in this one, since they run /tmp with noexec mount option, and the use of nwfilter seems useful to lock down guests; although failure to run nwfilter is not a security hole, per se.

+++ This bug was initially created as a clone of Bug #752254 +++

Description of problem:

When /tmp filesystem is mounted with noexec option:

tmpfs on /tmp type tmpfs (rw,noexec,nosuid,size=512M)

libvirt fails to initialize nwfilter framework and then fails to start any domain using nwfilter rules.

22:22:32.545: 7699: debug : ebiptablesExecCLI:2590 : cmd='/sbin/ebtables -t nat -L'
eval res=\$\("${cmd}"\)
if [ $? -ne 0 ]; then  echo "Failure to execute command '${cmd}'.";  exit 1;fi

22:22:32.545: 7699: debug : virRunWithHook:833 : /tmp/virtduqjigQ
22:22:32.549: 7699: debug : virRunWithHook:851 : Command stderr: 22:22:32.548: 7733: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov)
22:22:32.548: 7733: error : __virExec:676 : cannot execute binary /tmp/virtduqjigQ: Permission denied
libvir: error : cannot execute binary /tmp/virtduqjigQ: Permission denied

22:22:32.549: 7699: debug : ebiptablesExecCLI:2611 : rc = 0, status = 1

I have seen similar problems over the internet, and it seems these problems were incorrectly classified as iptables/ip6tables/ebtables not being available in PATH.

Version-Release number of selected component (if applicable):
libvirt-0.8.7-18.el6_1.1.x86_64

(but as far as I can tell after looking at 0.9.7 sources the same problem persists in this version too)

How reproducible:

Mount /tmp with noexec option, restart libvirt.
  
Actual results:

1. Nwfilter not being initialized at libvirt's start:

Nov  8 22:20:48 kastor libvirtd: 22:20:48.984: 7523: info : libvirt version: 0.8.7, package: 18.el6_1.1 (Unknown, 2011-09-01-11:22:40, sl6.fnal.gov)
Nov  8 22:20:48 kastor libvirtd: 22:20:48.994: 7523: info : networkReloadIptablesRules:1382 : Reloading iptables rules
Nov  8 22:20:49 kastor libvirtd: 22:20:49.231: 7523: error : ebiptablesDriverInit:3766 : internal error firewall tools were not found or cannot be used

2. Nwfilter not being usable within domain configuration:

[root@kastor ~]# virsh start av
error: Failed to start domain av
error: internal error Could not get access to ACL tech driver 'ebiptables'

[root@kastor ~]#

Additional info:
Since ebiptablesExecCLI() function's only purpose is to run script generated for checking iptables/ip6tables/ebtables capabilities it should be easy to fix this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path' instead of calling it directly.

--- Additional comment from eblake on 2011-11-08 16:32:20 MST ---

(In reply to comment #0)
> Description of problem:
> 
> Additional info:
> Since ebiptablesExecCLI() function's only purpose is to run script generated
> for checking iptables/ip6tables/ebtables capabilities it should be easy to fix
> this function. It should invoke this script with `/bin/sh /tmp/tmp_script_path'
> instead of calling it directly.

Agree - and this should be a fairly easy patch to get approved.
Comment 7 Eric Blake 2011-11-10 00:47:05 UTC 
In POST:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2011-November/msg00108.html
Comment 8 Huang Wenlong 2011-11-11 06:53:24 UTC 
I reproduce this bug with :
libvirt-0.9.4-22.el6.x86_64
and libvirt-0.8.7-18.el6_1.1.x86_64.rpm

Steps: 
1)Create a lv(vg_intelw352081-tmp) or a new partition(sda7)  .mkfs it and mount it 

2)#mount /dev/mapper/vg_intelw352081-tmp /mnt/tmp

3)#cp -ar /tmp /mnt/ 

4)#umount /mnt/tmp 

5)#mount /dev/mapper/vg_intelw352081-tmp  /tmp -o noexec,nosuid 

6)#service libvirtd restart 

7)#tail  /var/log/libvirt/libvirtd.log 

14:04:33.164: 5537: error : ebiptablesDriverInit:3779 : internal error firewall tools were not found or cannot be used


8)Need add a nwfilter in test's xml ,like this : 

 <interface type='bridge'>
      <mac address='52:54:00:61:cd:ed'/>
      <source bridge='breth0'/>
      <filterref filter='clean-traffic'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>


9)#virsh start test   
error: Failed to start domain test
error: internal error Could not get access to ACL tech driver 'ebiptables'
Comment 14 xhu 2011-12-22 02:33:53 UTC 
Roproduce it with libvirt-0.9.4-22.el6.x86_64.
And Verify it with libvirt-0.9.8-1.el6.x86_64 and it passed.
Comment 15 Eric Blake 2012-05-03 19:24:53 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, libvirt's implementation of nwfilter would attempt to execute a temporary file generated directly in /tmp, which would fail if /tmp is mounted noexec for security reasons.  The implementation of nwfilter has been improved to avoid the need for a temporary file altogether, which removed the need for libvirt to modify or use files in /tmp.
Comment 17 errata-xmlrpc 2012-06-20 06:36:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html
Note You need to log in before you can comment on or make changes to this bug.