Bug 977856 - Current selinux policy prevents the new vdsm dhcp hook from running
Summary: Current selinux policy prevents the new vdsm dhcp hook from running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 990024 (view as bug list)
Depends On:
Blocks: 618636 918494 990024 990963
TreeView+ depends on / blocked
 
Reported: 2013-06-25 13:19 UTC by Antoni Segura Puimedon
Modified: 2014-12-08 00:51 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.12.1-69.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 990509 (view as bug list)
Environment:
Last Closed: 2013-08-04 22:58:22 UTC


Attachments (Terms of Use)
audit.log when running in permissive mode. (270.42 KB, text/x-log)
2013-06-25 13:19 UTC, Antoni Segura Puimedon
no flags Details
audit.log of the denials in F19 (38.67 KB, text/x-log)
2013-07-25 14:32 UTC, Antoni Segura Puimedon
no flags Details

Description Antoni Segura Puimedon 2013-06-25 13:19:38 UTC
Created attachment 765079 [details]
audit.log when running in permissive mode.

Description of problem:
For configuring routes for multiple gateways, vdsm now has a dhcp hook placed in /etc/dhcp/dhclient.d/sourceRoute.sh that calls the vdsm scripts in /usr/share/vdsm to set ip routes and rules.

The current selinux policy selinux-policy-3.7.19-195.el6_4.10.noarch prevents the hook from running the python scripts in /usr/share/vdsm/sourceRoute.py.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.10.noarch

How reproducible: 100%


Steps to Reproduce:
1. Build vdsm from http://gerrit.ovirt.org/#/c/15890/ or nightly once that patch is merged
2. execute
vdsClient 0 addNetwork bridge=foo nics=eth0 bootproto=dhcp

where eth0 is a nic connected to a network that serves dhcp information.

Actual results:
if you do "ip rule show", no rules are added for the new ip config.

Expected results:
there are two ip rules for the new network.

Additional info:
grep python /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

solves the issue, so it seems that just updating the policy to include this use case should solve the bug.

Comment 2 Antoni Segura Puimedon 2013-06-25 22:06:48 UTC
The new behavior of the libvirt detection throws a few more avc denials on bootup. I'll try to make an attachment for them in the morning.

Comment 3 Antoni Segura Puimedon 2013-07-01 15:00:47 UTC
Well, I'm a bit delayed with that attachment, but in the meantime, the proper explanation for the need in policy change is:

The vdsm service, vdsmd, executes in selinux context system_u:system_r:virtd_t
and its supervdsmd counterpart executes in the system_u:system_r:initrc_t context. This allows them to interact with libvirt, qemu, /etc files, sockets, network interface netlink changes, etc.

For the multiple gateways feature, ( https://bugzilla.redhat.com/show_bug.cgi?id=618636 ), we need to perform a reasonably sized subset of those restricted actions as part of the DHCP hook that sets up source routing rules and routes (as opposed to destination routing) when dhcp receives a lease for an interface that belongs to vdsm. However, the DHCP hook can and is run on network service start, that is much prior to libvirtd and vdsmd startup when booting up and, for this reason, it can't just call vdsmd, it must call the vdsm code to perform the actions it needs.

Thus, to solve the issue the selinux-policy must give access to python executing in the dhcp_t context to perform the actions that the normal vdsmd context (system_u:system_r:virtd_t) allows.

Comment 4 Daniel Walsh 2013-07-02 11:31:28 UTC
supervdsmd  Should probably run as the same label vdsmd.  What is its path?

As far as dhcp_t having the all the rules as virtd_t, I would rather see the AVC's.  I doubt dhcp_t is going to be launching virtual machines as svirt_t.

Comment 5 Antoni Segura Puimedon 2013-07-25 14:26:00 UTC
We reworked the approach of what we do not to require selinux policy changes. However, on F18 and F19 versions:
selinux-policy-3.11.1-98.fc18
selinux-policy-3.12.1-65.fc19

get avc denials. What we do is have dhcp_t create and write to files in /var/run/vdsm/sourceRoutes/

I attach the dhcp_t denials.

Comment 6 Antoni Segura Puimedon 2013-07-25 14:32:00 UTC
Created attachment 778276 [details]
audit.log of the denials in F19

These are the denials in Fedoa 19 after running in permissive mode and then trying to make it run on enforcing mode.

Comment 7 Antoni Segura Puimedon 2013-07-25 14:39:30 UTC
Tried a policy mad of attachment 778276 [details] with audit2allow and the functionality is restored for f19.

Comment 8 Daniel Walsh 2013-07-26 17:28:49 UTC
c82f9befc26d03bc711d5d9606c7f990b1d57ca7 fixes this in git.

Comment 9 Mark Wu 2013-07-30 09:31:49 UTC
*** Bug 990024 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2013-08-02 13:27:37 UTC
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19

Comment 11 Fedora Update System 2013-08-02 21:53:55 UTC
Package selinux-policy-3.12.1-69.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2013-08-04 22:58:22 UTC
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.