I am running the fedora virtualization preview on fedora 20 and I am
keeping everything up to date. I don't know if any of this version
information helps:
tr@localhost:/mnt/vm/kvm$ uname -a
Linux localhost.localdomain 3.16.2-201.fc20.x86_64 #1 SMP Mon Sep 15 19:57:50
UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
tr@localhost:/mnt/vm/kvm$ qemu-system-x86_64 --version
QEMU emulator version 2.1.1, Copyright (c) 2003-2008 Fabrice Bellard
tr@localhost:/mnt/vm/kvm$ virsh --version
1.2.8
tr@localhost:/mnt/vm/kvm$
I am running a copy of the endian firewall (http://www.endian.com/us/)
in one virtual machine (definition attached). The outside network for
the firewall is the libvirt default network and the inside network is a
private libvirt network. I am using the firewall for its web proxy and
anti-virus capabilities.
If I start the firewall and then start another machine accessing the
default network then the /var/log/audit/audit.logs start filling up with
the following errors:
type=AVC msg=audit(1411625370.716:6294):
avc: denied { read }
for pid=1880 comm="qemu-system-x86" path="/dev/net/tun" dev="devtmpfs"
ino=10009
scontext=system_u:system_r:svirt_t:s0:c9,c427
tcontext=system_u:object_r:tun_tap_device_t:s0:c92,c467
tclass=chr_file permissive=0
In this log it appears that the firewall virtual machine is the one that
keeps getting the permission denied. Does anyone know why this is
happening and how I fix it?
My current partial theory is that the categories on /dev/net/tun often
change when I start a new virtual machine and this causes the previous
virtual machine to lose access rights to /dev/net/tun. So when I start
the firewall, the categories of the firewall virtual machine and
/dev/net/tun seem to match:
tr@localhost:~$ ps -C qemu-system-x86_64 --context
PID CONTEXT COMMAND
3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64
-machine accel=kvm -name Firewall -S -machine pc-i440fx-2
tr@localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c644,c750
/dev/net/tun
tr@localhost:~$
Here they both have categories of {c644, c750} and the access is
granted. But when I start the second virtual machine the context of
/dev/net/tun is changed and the access is now denied to the first
virtual machine:
tr@localhost:~$ ps -C qemu-system-x86_64 --context
PID CONTEXT COMMAND
3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64
-machine accel=kvm -name Firewall -S -machine pc-i440fx-2
3955 system_u:system_r:svirt_t:s0:c88,c878 /usr/bin/qemu-system-x86_64
-machine accel=kvm -name Personal -S -machine pc-i440fx-2.
tr@localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c88,c878
/dev/net/tun
tr@localhost:~$
The new context on /dev/net/tun has categories {c88,c878} and this no
longer matches the firewall virtual machines categories {c644,c750}.
Any advice? Have I somehow messed up my configuration or is this
possibly a bug? Is the firewall doing something unexpected?
I also have noticed strange behavior on the inside network (which is why
it tunnels through tcp) but I will write about that later.
Thanks,
-Timothy
<domain type='kvm' id='9'>
<name>Firewall</name>
<uuid>a9fc5d1b-a165-4933-b2f7-77977f1e7dfe</uuid>
<description>The endian firewall.
The tricky part to setting this up is getting the two nic cards in the right order. The first one is the inside network and the second one is the untrusted internet.
You can see this with an ifconfig followed by a comparison of mac addresses. The inside network has an address of 192.168.0.15.
</description>
<memory unit='KiB'>8392704</memory>
<currentMemory unit='KiB'>8392704</currentMemory>
<vcpu placement='static'>2</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu mode='custom' match='exact'>
<model fallback='allow'>SandyBridge</model>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/mnt/vm/kvm/endian-virt.qcow2'/>
<backingStore/>
<target dev='hda' bus='ide'/>
<boot order='1'/>
<alias name='ide0-0-0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw'/>
<backingStore/>
<target dev='hdb' bus='ide'/>
<readonly/>
<alias name='ide0-0-1'/>
<address type='drive' controller='0' bus='0' target='0' unit='1'/>
</disk>
<controller type='usb' index='0' model='ich9-ehci1'>
<alias name='usb0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci1'>
<alias name='usb0'/>
<master startport='0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0' multifunction='on'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci2'>
<alias name='usb0'/>
<master startport='2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x1'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci3'>
<alias name='usb0'/>
<master startport='4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'>
<alias name='pci.0'/>
</controller>
<controller type='ide' index='0'>
<alias name='ide0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='virtio-serial' index='0'>
<alias name='virtio-serial0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</controller>
<interface type='server'>
<mac address='de:ad:be:ef:ca:ec'/>
<source address='localhost' port='5555'/>
<model type='e1000'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='network'>
<mac address='de:ad:be:ef:ca:ed'/>
<source network='default'/>
<target dev='vnet0'/>
<model type='rtl8139'/>
<alias name='net1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/4'/>
<target port='0'/>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/4'>
<source path='/dev/pts/4'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<sound model='ich6'>
<alias name='sound0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</sound>
<video>
<model type='qxl' ram='65536' vram='65536' heads='1'/>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<redirdev bus='usb' type='spicevmc'>
<alias name='redir0'/>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
<alias name='redir1'/>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
<alias name='redir2'/>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
<alias name='redir3'/>
</redirdev>
<memballoon model='virtio'>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</memballoon>
</devices>
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_t:s0:c181,c490</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c181,c490</imagelabel>
</seclabel>
</domain>
<domain type='kvm'>
<name>Personal</name>
<uuid>1a753f83-6b84-4a74-9bf1-968ba2504fc9</uuid>
<memory unit='KiB'>8388608</memory>
<currentMemory unit='KiB'>8388608</currentMemory>
<vcpu placement='static'>2</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu mode='custom' match='exact'>
<model fallback='allow'>SandyBridge</model>
<vendor>Intel</vendor>
<feature policy='require' name='pbe'/>
<feature policy='require' name='tm2'/>
<feature policy='require' name='est'/>
<feature policy='require' name='osxsave'/>
<feature policy='require' name='smx'/>
<feature policy='require' name='ss'/>
<feature policy='require' name='vme'/>
<feature policy='require' name='dtes64'/>
<feature policy='require' name='ht'/>
<feature policy='require' name='ds'/>
<feature policy='require' name='pcid'/>
<feature policy='require' name='tm'/>
<feature policy='require' name='pdcm'/>
<feature policy='require' name='vmx'/>
<feature policy='require' name='ds_cpl'/>
<feature policy='require' name='xtpr'/>
<feature policy='require' name='acpi'/>
<feature policy='require' name='invtsc'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/mnt/vm/kvm/personal.qcow2'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</disk>
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/catlover/personal'/>
<target dev='vdb' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
</disk>
<controller type='usb' index='0' model='ich9-ehci1'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci1'>
<master startport='0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci2'>
<master startport='2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
</controller>
<controller type='usb' index='0' model='ich9-uhci3'>
<master startport='4'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</controller>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<controller type='sata' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0a' function='0x0'/>
</controller>
<interface type='network'>
<mac address='52:54:00:b4:42:90'/>
<source network='default'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<console type='pty'>
<target type='virtio' port='0'/>
</console>
<channel type='unix'>
<source mode='bind' path='/var/lib/libvirt/qemu/channel/target/Personal.org.qemu.guest_agent.0'/>
<target type='virtio' name='org.qemu.guest_agent.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='2'/>
</channel>
<input type='tablet' bus='usb'/>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='spice' autoport='yes'/>
<sound model='ich6'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</sound>
<video>
<model type='qxl' ram='65536' vram='65536' heads='1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<redirdev bus='usb' type='spicevmc'>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
</redirdev>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</memballoon>
</devices>
</domain>
_______________________________________________
virt mailing list
virt@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/virt
