Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 880044

Summary: libvirt get AVC denied when create guest for unprivileged users in usermode
Product: Red Hat Enterprise Linux 6 Reporter: Huang Wenlong <whuang>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: cwei, dwalsh, dyuan, gsun, mzhan, rbalakri, rjones, tzheng
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-17 07:57:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Huang Wenlong 2012-11-26 05:27:36 UTC 
Description of problem:
libvirt get AVC denied when create guest for unprivileged users in usermode

Version-Release number of selected component (if applicable):
libvirt-0.10.2-4.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.335.el6.x86_64
selinux-policy-3.7.19-181.el6.noarch


How reproducible:
100%

Steps to Reproduce:
1. login unprivileged user test

$virt-install -l
http://tree.englab.nay.redhat.com/pub/rhel/rel-eng/RHEL6.3/RHEL6.3-latest/x86_64/os
--name whuang --ram 512 --disk VirtualMachines/test.img --connect
qemu:///session

Starting install...
Retrieving file .treeinfo... | 3.5 kB 00:00 ...
Retrieving file vmlinuz... | 7.6 MB 00:00 ...
Retrieving file initrd.img... | 58 MB 00:00 ...
ERROR internal error Process exited while reading console log output:
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
virsh --connect qemu:///session start whuang
otherwise, please restart your installation.


2. virt-manager get the same error
$virt-manager -c qemu:///session
Unable to complete install: 'internal error Process exited while reading
console log output: '

3. audit log when try to create domain

type=AVC msg=audit(1353900584.413:99543): avc: denied { write } for
pid=23495 comm="qemu-kvm" path="/home/test/.libvirt/qemu/log/whuang.log"
dev=sda1 ino=1704069
scontext=unconfined_u:unconfined_r:svirt_t:s0:c499,c508
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1353900584.413:99543): avc: denied { write } for
pid=23495 comm="qemu-kvm" path="/home/test/.libvirt/qemu/log/whuang.log"
dev=sda1 ino=1704069
scontext=unconfined_u:unconfined_r:svirt_t:s0:c499,c508
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1353900584.413:99543): arch=c000003e syscall=59
success=yes exit=0 a0=7f23780074c0 a1=7f2378005da0 a2=7f2378009260
a3=7f2395779940 items=0 ppid=1 pid=23495 auid=502 uid=502 gid=502
euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none)
ses=989 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
subj=unconfined_u:unconfined_r:svirt_t:s0:c499,c508 key=(null)
type=AVC msg=audit(1353900584.426:99544): avc: denied { write } for
pid=23495 comm="qemu-kvm" name="lib" dev=sda1 ino=1704037
scontext=unconfined_u:unconfined_r:svirt_t:s0:c499,c508
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1353900584.426:99544): arch=c000003e syscall=49
success=no exit=-13 a0=3 a1=7fffb42bc760 a2=6e a3=7568772f62696c2f
items=0 ppid=1 pid=23495 auid=502 uid=502 gid=502 euid=502 suid=502
fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=989 comm="qemu-kvm"
exe="/usr/libexec/qemu-kvm"
subj=unconfined_u:unconfined_r:svirt_t:s0:c499,c508 key=(null)



Actual results:
as steps

Expected results:
no AVC denied

Additional info:
$ ll -Z .libvirt/qemu/log/
-rw-------. test test unconfined_u:object_r:user_home_t:s0
.libvirt/qemu/log/test.log
-rw-------. test test unconfined_u:object_r:user_home_t:s0
.libvirt/qemu/log/whuang.log
Comment 1 Huang Wenlong 2012-11-26 05:31:55 UTC 
Version-Release number of libvirt should be : 
libvirt-0.10.2-9 .el6.x86_64
Comment 3 Richard W.M. Jones 2012-11-26 21:34:17 UTC 
Does it work if you do:

restorecon -R -v ~/.libvirt

Otherwise ... yes, I'm not surprised there are bugs in this
area.  We have found a few (in SELinux policy & libvirt) for
RHEL 7.  I didn't even look at RHEL 6, since for libguestfs in
RHEL 6 we don't use libvirt.
Comment 5 Martin Kletzander 2013-01-29 13:39:09 UTC 
libvirt changed usage of home directories to XDG ones, but reverted that change since there is no filename transition in RHEL 6 kernel, thus the directories couldn't be handled with proper selinux contexts.

Since a while after that, selinux-policy lost one rule that helped managing the '.libvirt' directory in user home directories.  With older policy the rule can be found by running (with setools-console installed):
 sesearch -T -c process -s unconfined_t -t virtd_exec_t

This causes user-ran libvirtd (session mode) not to be transitioned into virtd_t and the directories created by it do not fall under other transition rule that would change the context to the proper one (this rule is not missing):
 sesearch -T -s virtd_t -t user_home_dir_t

For more info, see https://bugzilla.redhat.com/show_bug.cgi?id=859331

Based on that, I'm reassigning this bug to selinux-policy as that's the place this fix should happen.
Comment 6 Miroslav Grepl 2013-08-06 20:31:05 UTC 
Yes, I see we have
optional_policy(`
    virt_transition_svirt(unconfined_t, unconfined_r)
    #virt_run(unconfined_t, unconfined_r)
')

for a reason (AFAIK there was a bug). The problem is we are able to make it working in RHEL7 using filename transitios which we don't have in RHEL6.
Comment 8 Miroslav Grepl 2014-09-17 07:57:59 UTC 
We will need to have restorecond running for this in RHEL6 to make we get proper labeling.