Created attachment 765079 [details]
audit.log when running in permissive mode.
Description of problem:
For configuring routes for multiple gateways, vdsm now has a dhcp hook placed in /etc/dhcp/dhclient.d/sourceRoute.sh that calls the vdsm scripts in /usr/share/vdsm to set ip routes and rules.
The current selinux policy selinux-policy-3.7.19-195.el6_4.10.noarch prevents the hook from running the python scripts in /usr/share/vdsm/sourceRoute.py.
Version-Release number of selected component (if applicable):
How reproducible: 100%
Steps to Reproduce:
1. Build vdsm from http://gerrit.ovirt.org/#/c/15890/ or nightly once that patch is merged
vdsClient 0 addNetwork bridge=foo nics=eth0 bootproto=dhcp
where eth0 is a nic connected to a network that serves dhcp information.
if you do "ip rule show", no rules are added for the new ip config.
there are two ip rules for the new network.
grep python /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
solves the issue, so it seems that just updating the policy to include this use case should solve the bug.
The new behavior of the libvirt detection throws a few more avc denials on bootup. I'll try to make an attachment for them in the morning.
Well, I'm a bit delayed with that attachment, but in the meantime, the proper explanation for the need in policy change is:
The vdsm service, vdsmd, executes in selinux context system_u:system_r:virtd_t
and its supervdsmd counterpart executes in the system_u:system_r:initrc_t context. This allows them to interact with libvirt, qemu, /etc files, sockets, network interface netlink changes, etc.
For the multiple gateways feature, ( https://bugzilla.redhat.com/show_bug.cgi?id=618636 ), we need to perform a reasonably sized subset of those restricted actions as part of the DHCP hook that sets up source routing rules and routes (as opposed to destination routing) when dhcp receives a lease for an interface that belongs to vdsm. However, the DHCP hook can and is run on network service start, that is much prior to libvirtd and vdsmd startup when booting up and, for this reason, it can't just call vdsmd, it must call the vdsm code to perform the actions it needs.
Thus, to solve the issue the selinux-policy must give access to python executing in the dhcp_t context to perform the actions that the normal vdsmd context (system_u:system_r:virtd_t) allows.
supervdsmd Should probably run as the same label vdsmd. What is its path?
As far as dhcp_t having the all the rules as virtd_t, I would rather see the AVC's. I doubt dhcp_t is going to be launching virtual machines as svirt_t.
We reworked the approach of what we do not to require selinux policy changes. However, on F18 and F19 versions:
get avc denials. What we do is have dhcp_t create and write to files in /var/run/vdsm/sourceRoutes/
I attach the dhcp_t denials.
Created attachment 778276 [details]
audit.log of the denials in F19
These are the denials in Fedoa 19 after running in permissive mode and then trying to make it run on enforcing mode.
Tried a policy mad of attachment 778276 [details] with audit2allow and the functionality is restored for f19.
c82f9befc26d03bc711d5d9606c7f990b1d57ca7 fixes this in git.
*** Bug 990024 has been marked as a duplicate of this bug. ***
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19.
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.