Bug 857453 - SELinux policy doesn't allow qemu to connect/write to correctly labelled console socket
SELinux policy doesn't allow qemu to connect/write to correctly labelled cons...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On: 853393 888502
  Show dependency treegraph
Reported: 2012-09-14 09:29 EDT by Richard W.M. Jones
Modified: 2012-12-18 14:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 853393
Last Closed: 2012-09-18 09:35:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Richard W.M. Jones 2012-09-14 09:29:34 EDT
+++ This bug was initially created as a clone of Bug #853393 +++

Description of problem:

In libguestfs with the libvirt backend we create sockets
to talk to the daemon and console like this:

    <serial type="unix">
      <source mode="connect" path="/tmp/libguestfs3vK8dN/console.sock"/>
      <target port="0"/>
    <channel type="unix">
      <source mode="connect" path="/tmp/libguestfs3vK8dN/guestfsd.sock"/>
      <target type="virtio" name="org.libguestfs.channel.0"/>

where "/tmp/libguestfs3vK8dN" is a temporary directory created
by libguestfs.

Note that these socket files are created by libguestfs.  Qemu has
to connect to them.

I have submitted a patch to libvirt so that it now correctly labels
console.sock (for some reason that I don't understand none of this
discussion seems to apply to guestfsd.sock, but everything still
works, go figure).

However SELinux policy does not allow qemu to write to console.sock
even when it is correctly labelled.

type=AVC msg=audit(1347628113.231:1514): avc:  denied  { write } for  pid=4080 comm="qemu-kvm" name="console.sock" dev="dm-5" ino=834963 scontext=unconfined_u:unconfined_r:svirt_t:s0:c96,c408 tcontext=unconfined_u:object_r:svirt_image_t:s0:c96,c408 tclass=sock_file

type=AVC msg=audit(1347628390.930:1544): avc:  denied  { connectto } for  pid=5138 comm="qemu-kvm" path="/home/rjones/d/libguestfs/libguestfsnwIvd1/console.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c516,c927 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

audit2allow suggests:

require {
	type svirt_image_t;
	type svirt_t;
	class sock_file write;

#============= svirt_t ==============
allow svirt_t svirt_image_t:sock_file write;


require {
	type unconfined_t;
	type svirt_t;
	class unix_stream_socket connectto;

#============= svirt_t ==============
allow svirt_t unconfined_t:unix_stream_socket connectto;

Adding these two rules makes everything work OK for me.
Comment 1 Daniel Walsh 2012-09-18 09:35:44 EDT
Fixed in selinux-policy-3.11.1-23.fc18.noarch
Comment 2 Richard W.M. Jones 2012-09-25 08:44:31 EDT
I installed the -24 policy and it does appear to be fixed.

Note You need to log in before you can comment on or make changes to this bug.