Bug 843543 - starting libvirt default network causes avc: denied { write } comm="dnsmasq" scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_var_run_t:s0 tclass=dir
starting libvirt default network causes avc: denied { write } comm="dnsmasq...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-26 11:00 EDT by Paolo Bonzini
Modified: 2013-02-21 03:26 EST (History)
15 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-190.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:26:14 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paolo Bonzini 2012-07-26 11:00:29 EDT
Description of problem:
libvirt starts dnsmasq with --pid-file=/var/run/libvirt/network/default.pid but dnsmasq cannot write to virt_var_run_t

# ls -Z /var/run/libvirt/network/
-rw-r--r--. root root unconfined_u:object_r:virt_var_run_t:s0 default.pid
-rw-r--r--. root root unconfined_u:object_r:virt_var_run_t:s0 nwfilter.leases

Version-Release number of selected component (if applicable):
0.9.13-3.el6

How reproducible:
100%

Steps to Reproduce:
  yum install libvirt
  service libvirtd start
  virsh net-start default
  
Actual results:
Starting default network fails.

Expected results:
Starting default network works.

Additional info:
This error is also logged, will file a separate bug:

type=SELINUX_ERR msg=audit(1343312370.260:393): security_compute_sid:  invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process
Comment 2 Miroslav Grepl 2012-07-26 13:58:54 EDT
We have two issues. Could you try to execute

# restorecon -R -v /var/run/libvirt/network/
# echo "type=SELINUX_ERR msg=audit(1343312370.260:393): security_compute_sid:  invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process" | audit2allow -M mypol
# semodule -i mypol.pp


The problem is we have 

virtd_t running as unconfined_r which does a transition to iptables_t.
Comment 3 Paolo Bonzini 2012-07-27 03:52:55 EDT
Restoring the contexts worked.  I'm a bit puzzled as to why a normal installation of libvirt created wrong contexts, which is why I reported a separate bug for the transitions (bug 843544).

Regarding the transitions, I also see these in permissive mode:

type=SELINUX_ERR msg=audit(1343312811.896:525): security_compute_sid:  invalid context unconfined_u:unconfined_r:dmidecode_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1343312811.732:520): security_compute_sid:  invalid context unconfined_u:unconfined_r:dnsmasq_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_exec_t:s0 tclass=process

In enforcing mode, dnsmasq is not launched because of the iptables problem.  After doing the steps in comment 2, a "strace -ff -e execve libvirtd -v" indeed shows dnsmasq still failing to start:

[pid 28089] execve("/usr/sbin/dnsmasq", ["/usr/sbin/dnsmasq", "--strict-order", "--bind-interfaces", "--pid-file=/var/run/libvirt/netw"..., "--conf-file=", "--except-interface", "lo", "--listen-address", "192.168.122.1", "--dhcp-range", "192.168.122.2,192.168.122.254", "--dhcp-leasefile=/var/lib/libvir"..., "--dhcp-lease-max=253", "--dhcp-no-override"], [/* 34 vars */]) = -1 EACCES (Permission denied)
execve("/usr/sbin/dmidecode", ["/usr/sbin/dmidecode", "-q", "-t", "0,1,4,17"], [/* 34 vars */]) = -1 EACCES (Permission denied)

So we need all of these:

module mypol 1.0;

require {
	type dmidecode_t;
	type iptables_t;
	type dnsmasq_t;
	role unconfined_r;
}

#============= ROLES ==============
role unconfined_r types dmidecode_t;
role unconfined_r types iptables_t;
role unconfined_r types dnsmasq_t;
Comment 4 Daniel Walsh 2012-07-31 11:56:51 EDT
We should eliminate the transition from unconfined_t to svirt_t. like we have in Fedora.
Comment 5 Miroslav Grepl 2012-08-01 04:15:11 EDT
Yes, I removed it.
Comment 6 Miroslav Grepl 2012-08-07 19:43:25 EDT
Fixed in selinux-policy-3.7.19-159.el6
Comment 10 Jeff Burke 2012-10-30 10:40:48 EDT
With selinux-policy-3.7.19-172.el6 We are seeing this AVC Denied message:

time->Mon Oct 29 14:16:57 2012
type=SYSCALL msg=audit(1351534617.890:66): arch=c000003e syscall=2 success=no exit=-13 a0=170eaf0 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=7367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351534617.890:66): avc:  denied  { write } for  pid=7367 comm="dnsmasq" name="network" dev=dm-0 ino=1443806 scontext=unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

Regards,
Jeff
Comment 13 Daniel Walsh 2012-10-30 16:13:33 EDT
I believe the network directory has a wrong label on it.

DOes 

restorecon -R -v /var/run 

Fix it?
Comment 14 Jeff Burke 2012-10-31 08:27:28 EDT
Dan,
 Not I am not 100% sure as this is seen in automated testing. If in fact it is mislabled then it is being done so at install time. I can try and stop the test before it gets to that point in testing and relabel the directory.

Regards,
Jeff
Comment 15 Daniel Walsh 2012-10-31 09:44:15 EDT
Miroslav, I think for RHEL6 we will just have to allow this, since I am not sure we can get this directory labeled correctly.
Comment 19 Daniel Walsh 2012-12-11 15:05:05 EST
Is this a labeling problem under /var/run?

restorecon -R -v /var/run
Comment 20 Miroslav Grepl 2013-01-03 10:48:42 EST
(In reply to comment #15)
> Miroslav, I think for RHEL6 we will just have to allow this, since I am not
> sure we can get this directory labeled correctly.

I believe we need to allow it also for dhcpc_t.
Comment 21 Daniel Walsh 2013-01-03 11:48:38 EST
Fine.
Comment 24 errata-xmlrpc 2013-02-21 03:26:14 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.