Timothy Redmond
2014-09-25 07:30:00 UTC
I am running the fedora virtualization preview on fedora 20 and I am
keeping everything up to date. I don't know if any of this version
information helps:
tr at localhost:/mnt/vm/kvm$ uname -a
Linux localhost.localdomain 3.16.2-201.fc20.x86_64 #1 SMP Mon Sep 15 19:57:50 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
tr at localhost:/mnt/vm/kvm$ qemu-system-x86_64 --version
QEMU emulator version 2.1.1, Copyright (c) 2003-2008 Fabrice Bellard
tr at localhost:/mnt/vm/kvm$ virsh --version
1.2.8
tr at localhost:/mnt/vm/kvm$
I am running a copy of the endian firewall (http://www.endian.com/us/)
in one virtual machine (definition attached). The outside network for
the firewall is the libvirt default network and the inside network is a
private libvirt network. I am using the firewall for its web proxy and
anti-virus capabilities.
If I start the firewall and then start another machine accessing the
default network then the /var/log/audit/audit.logs start filling up with
the following errors:
type=AVC msg=audit(1411625370.716:6294):
avc: denied { read }
for pid=1880 comm="qemu-system-x86" path="/dev/net/tun" dev="devtmpfs"
ino=10009
scontext=system_u:system_r:svirt_t:s0:c9,c427
tcontext=system_u:object_r:tun_tap_device_t:s0:c92,c467
tclass=chr_file permissive=0
In this log it appears that the firewall virtual machine is the one that
keeps getting the permission denied. Does anyone know why this is
happening and how I fix it?
My current partial theory is that the categories on /dev/net/tun often
change when I start a new virtual machine and this causes the previous
virtual machine to lose access rights to /dev/net/tun. So when I start
the firewall, the categories of the firewall virtual machine and
/dev/net/tun seem to match:
tr at localhost:~$ ps -C qemu-system-x86_64 --context
PID CONTEXT COMMAND
3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Firewall -S -machine pc-i440fx-2
tr at localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c644,c750 /dev/net/tun
tr at localhost:~$
Here they both have categories of {c644, c750} and the access is
granted. But when I start the second virtual machine the context of
/dev/net/tun is changed and the access is now denied to the first
virtual machine:
tr at localhost:~$ ps -C qemu-system-x86_64 --context
PID CONTEXT COMMAND
3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Firewall -S -machine pc-i440fx-2
3955 system_u:system_r:svirt_t:s0:c88,c878 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Personal -S -machine pc-i440fx-2.
tr at localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c88,c878 /dev/net/tun
tr at localhost:~$
The new context on /dev/net/tun has categories {c88,c878} and this no
longer matches the firewall virtual machines categories {c644,c750}.
Any advice? Have I somehow messed up my configuration or is this
possibly a bug? Is the firewall doing something unexpected?
I also have noticed strange behavior on the inside network (which is why
it tunnels through tcp) but I will write about that later.
Thanks,
-Timothy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: endian-virt.xml
Type: text/xml
Size: 5516 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140925/5e4e061d/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: personal.xml
Type: text/xml
Size: 5034 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140925/5e4e061d/attachment-0001.xml>
keeping everything up to date. I don't know if any of this version
information helps:
tr at localhost:/mnt/vm/kvm$ uname -a
Linux localhost.localdomain 3.16.2-201.fc20.x86_64 #1 SMP Mon Sep 15 19:57:50 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
tr at localhost:/mnt/vm/kvm$ qemu-system-x86_64 --version
QEMU emulator version 2.1.1, Copyright (c) 2003-2008 Fabrice Bellard
tr at localhost:/mnt/vm/kvm$ virsh --version
1.2.8
tr at localhost:/mnt/vm/kvm$
I am running a copy of the endian firewall (http://www.endian.com/us/)
in one virtual machine (definition attached). The outside network for
the firewall is the libvirt default network and the inside network is a
private libvirt network. I am using the firewall for its web proxy and
anti-virus capabilities.
If I start the firewall and then start another machine accessing the
default network then the /var/log/audit/audit.logs start filling up with
the following errors:
type=AVC msg=audit(1411625370.716:6294):
avc: denied { read }
for pid=1880 comm="qemu-system-x86" path="/dev/net/tun" dev="devtmpfs"
ino=10009
scontext=system_u:system_r:svirt_t:s0:c9,c427
tcontext=system_u:object_r:tun_tap_device_t:s0:c92,c467
tclass=chr_file permissive=0
In this log it appears that the firewall virtual machine is the one that
keeps getting the permission denied. Does anyone know why this is
happening and how I fix it?
My current partial theory is that the categories on /dev/net/tun often
change when I start a new virtual machine and this causes the previous
virtual machine to lose access rights to /dev/net/tun. So when I start
the firewall, the categories of the firewall virtual machine and
/dev/net/tun seem to match:
tr at localhost:~$ ps -C qemu-system-x86_64 --context
PID CONTEXT COMMAND
3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Firewall -S -machine pc-i440fx-2
tr at localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c644,c750 /dev/net/tun
tr at localhost:~$
Here they both have categories of {c644, c750} and the access is
granted. But when I start the second virtual machine the context of
/dev/net/tun is changed and the access is now denied to the first
virtual machine:
tr at localhost:~$ ps -C qemu-system-x86_64 --context
PID CONTEXT COMMAND
3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Firewall -S -machine pc-i440fx-2
3955 system_u:system_r:svirt_t:s0:c88,c878 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Personal -S -machine pc-i440fx-2.
tr at localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c88,c878 /dev/net/tun
tr at localhost:~$
The new context on /dev/net/tun has categories {c88,c878} and this no
longer matches the firewall virtual machines categories {c644,c750}.
Any advice? Have I somehow messed up my configuration or is this
possibly a bug? Is the firewall doing something unexpected?
I also have noticed strange behavior on the inside network (which is why
it tunnels through tcp) but I will write about that later.
Thanks,
-Timothy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: endian-virt.xml
Type: text/xml
Size: 5516 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140925/5e4e061d/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: personal.xml
Type: text/xml
Size: 5034 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140925/5e4e061d/attachment-0001.xml>