843544 – starting libvirt default network causes "security_compute_sid: invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 843544 - starting libvirt default network causes "security_compute_sid: invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process"

Summary: starting libvirt default network causes "security_compute_sid: invalid conte...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-07-26 15:00 UTC by Paolo Bonzini
Modified:	2015-06-09 07:50 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-27 13:30:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Paolo Bonzini 2012-07-26 15:00:43 UTC

Description of problem:
libvirt tries to call iptables, but this fails with Permission denied errors from SELinux.

Version-Release number of selected component (if applicable):
0.9.13-3.el6

How reproducible:
100%

Steps to Reproduce:
  yum install libvirt
  service libvirtd start
  virsh net-start default
  
Actual results:
Starting default network fails.

Expected results:
Starting default network works.

Additional info:
See also bug 843543.

Comment 2 Paolo Bonzini 2012-07-27 07:54:05 UTC

Here is what I see in permissive mode:

type=SELINUX_ERR msg=audit(1343312370.260:393): security_compute_sid:  invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1343312811.896:525): security_compute_sid:  invalid context unconfined_u:unconfined_r:dmidecode_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1343312811.732:520): security_compute_sid:  invalid context unconfined_u:unconfined_r:dnsmasq_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_exec_t:s0 tclass=process

In enforcing mode, dnsmasq is not launched because of the iptables problem.  After installing a custom policy that allows transition from unconfined_r to iptables_t, a "strace -ff -e execve libvirtd -v" indeed shows dnsmasq still failing to start:

[pid 28089] execve("/usr/sbin/dnsmasq", ["/usr/sbin/dnsmasq", "--strict-order", "--bind-interfaces", "--pid-file=/var/run/libvirt/netw"..., "--conf-file=", "--except-interface", "lo", "--listen-address", "192.168.122.1", "--dhcp-range", "192.168.122.2,192.168.122.254", "--dhcp-leasefile=/var/lib/libvir"..., "--dhcp-lease-max=253", "--dhcp-no-override"], [/* 34 vars */]) = -1 EACCES (Permission denied)
execve("/usr/sbin/dmidecode", ["/usr/sbin/dmidecode", "-q", "-t", "0,1,4,17"], [/* 34 vars */]) = -1 EACCES (Permission denied)

So we need all of these:

module mypol 1.0;

require {
	type dmidecode_t;
	type iptables_t;
	type dnsmasq_t;
	role unconfined_r;
}

#============= ROLES ==============
role unconfined_r types dmidecode_t;
role unconfined_r types iptables_t;
role unconfined_r types dnsmasq_t;

Comment 3 Miroslav Grepl 2012-07-27 08:33:29 UTC

Ok, I think we will need to remove virt_run() for unconfined_t.

If you execute

# service libvirtd restart 

then libvirtd should be running as system_r:virtd_t:s0-s0:c0.c1023

# ps -eZ |grep virtd

Comment 4 Paolo Bonzini 2012-07-27 09:23:57 UTC

I have no idea what you are talking about, anyhow:

# ps -eZ |grep virtd
unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 28378 ? 00:00:00 libvirtd

Comment 5 Miroslav Grepl 2012-07-27 10:51:49 UTC

Which is correct. So if you have libvirtd running as

unconfined_u:system_r:virtd_t:s0-s0:c0.c102

you are still getting this issue?

Comment 6 Paolo Bonzini 2012-07-27 13:23:19 UTC

Hmm, this should explain what happened: I first got the wrong contexts, then I ran libvirtd from the command line to see the debug output more easily.  When I do that, the process runs as another context:

unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 1023 pts/1 00:00:00 libvirtd

audit.log then got spammed with these three SELinux errors.  Are people supposed to start libvirt (or other services) _exclusively_ through service?  They didn't tell me about it when I did RHCE, :) and I took it exactly to learn these nuances...

Comment 7 Daniel Walsh 2012-07-27 13:30:06 UTC

Well you should for both security reasons and to make sure SELinux works correctly.  The service script does a lot of scrubbing of the environment and transitions properly to the SELinux context.

http://danwalsh.livejournal.com/29041.html

Note You need to log in before you can comment on or make changes to this bug.