Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 596968 - AVCs running vhost-net with SELinux in enforcing
Summary: AVCs running vhost-net with SELinux in enforcing
Keywords:
Status: CLOSED DUPLICATE of bug 599146
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-27 20:18 UTC by Andrew Cathrow
Modified: 2014-09-07 22:53 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-02 18:49:26 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Andrew Cathrow 2010-05-27 20:18:37 UTC
Running in the following environment

kernel-2.6.32-30.el6
qemu-kvm-0.12.1.2-2.68.el6
selinux-policy-targeted-3.7.19-21.el6
selinux-policy-3.7.19-21.el6
libvirt-0.8.1-7.el6

When I attempt to run a guest using vhost with SELinux in enforcing mode I get the following error on the command line

error: Failed to start domain test
error: internal error Process exited while reading console log output: char device redirected to /dev/pts/1
qemu-kvm: -netdev tap,fd=20,id=hostnet0,vhost=on,vhostfd=21: vhost-net requested but could not be initialized
qemu-kvm: -netdev tap,fd=20,id=hostnet0,vhost=on,vhostfd=21: Device 'tap' could not be initialized

and the following AVCs

type=SYSCALL msg=audit(1274990147.614:85768): arch=c000003e syscall=16 success=yes exit=0 a0=13 a1=89a2 a2=7fa4d9909b30 a3=7fa4d99098b0 items=0 ppid=1 pid=8853 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1274990147.675:85769): avc:  denied  { read write } for  pid=9408 comm="qemu-kvm" path="/dev/vhost-net" dev=devtmpfs ino=25393 scontext=system_u:system_r:svirt_t:s0:c217,c769 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1274990147.675:85769): arch=c000003e syscall=59 success=yes exit=0 a0=7fa4c0001480 a1=7fa4c0003f20 a2=7fa4c0001370 a3=7fa4d990ae60 items=0 ppid=1 pid=9408 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c217,c769 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1274990147.794:85770): dev=vnet0 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295

Comment 2 Daniel Berrange 2010-05-28 12:05:55 UTC
The SELinux policy is already allowing /dev/kvm and /dev/net/tun access without needing one device per guest, so I'm not seeing where the problem in having only one /dev/vhost-net device is. IMHO this is a policy fix, just needing a new rule to allow /dev/vhost-net access, not a code dev problem in libvirt

Comment 3 Daniel Walsh 2010-06-02 17:31:30 UTC
What label should I give it or should I create a new label?

Comment 4 Eric Paris 2010-06-02 17:31:43 UTC
I agree after talking with cdub and looking at the kernel code we don't need more than 1 vhost-net.  Although is /dev/vhost-net the right place instead of /dev/net/vhost-net?

The file location matters for Dan to label it correctly.  Are there any non-virt uses for /dev/vhost-net ?

Comment 5 Daniel Walsh 2010-06-02 18:49:26 UTC

*** This bug has been marked as a duplicate of bug 599146 ***


Note You need to log in before you can comment on or make changes to this bug.