[fedora-virt] access denied to /dev/net/tun

Timothy Redmond tredmond59 at yahoo.com
Thu Sep 25 07:30:00 UTC 2014


I am running the fedora virtualization preview on fedora 20 and I am 
keeping everything up to date.  I don't know if any of this version 
information helps:

tr at localhost:/mnt/vm/kvm$ uname -a
Linux localhost.localdomain 3.16.2-201.fc20.x86_64 #1 SMP Mon Sep 15 19:57:50 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
tr at localhost:/mnt/vm/kvm$ qemu-system-x86_64 --version
QEMU emulator version 2.1.1, Copyright (c) 2003-2008 Fabrice Bellard
tr at localhost:/mnt/vm/kvm$ virsh --version
1.2.8
tr at localhost:/mnt/vm/kvm$


I am running a copy of the endian firewall (http://www.endian.com/us/) 
in one virtual machine (definition attached).  The outside network for 
the firewall is the libvirt default network and the inside network is a 
private libvirt network.  I am using the firewall for its web proxy and 
anti-virus capabilities.

If I start the firewall and then start another machine accessing the 
default network then the /var/log/audit/audit.logs start filling up with 
the following errors:

type=AVC msg=audit(1411625370.716:6294):
avc:  denied  { read }
for  pid=1880 comm="qemu-system-x86" path="/dev/net/tun" dev="devtmpfs"
ino=10009
scontext=system_u:system_r:svirt_t:s0:c9,c427
tcontext=system_u:object_r:tun_tap_device_t:s0:c92,c467
tclass=chr_file permissive=0


In this log it appears that the firewall virtual machine is the one that 
keeps getting the permission denied.  Does anyone know why this is 
happening and how I fix it?

My current partial theory is that the categories on /dev/net/tun often 
change when I start a new virtual machine and this causes the previous 
virtual machine to lose access rights to /dev/net/tun.  So when I start 
the firewall, the categories of the firewall virtual machine and 
/dev/net/tun seem to match:

tr at localhost:~$ ps -C qemu-system-x86_64 --context
   PID CONTEXT                         COMMAND
  3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Firewall -S -machine pc-i440fx-2
tr at localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c644,c750 /dev/net/tun
tr at localhost:~$


Here they both have categories of {c644, c750} and the access is 
granted.  But when I start the second virtual machine the context of 
/dev/net/tun is changed and the access is now denied to the first 
virtual machine:

tr at localhost:~$ ps -C qemu-system-x86_64 --context
   PID CONTEXT                         COMMAND
  3882 system_u:system_r:svirt_t:s0:c644,c750 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Firewall -S -machine pc-i440fx-2
  3955 system_u:system_r:svirt_t:s0:c88,c878 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name Personal -S -machine pc-i440fx-2.
tr at localhost:~$ ls -lZ /dev/net/tun
crw-rw-rw-. root root system_u:object_r:tun_tap_device_t:s0:c88,c878 /dev/net/tun
tr at localhost:~$



The new context on /dev/net/tun has categories {c88,c878} and this no 
longer matches the firewall virtual machines categories {c644,c750}.

Any advice?  Have I somehow messed up my configuration or is this 
possibly a bug?  Is the firewall doing something unexpected?

I also have noticed strange behavior on the inside network (which is why 
it tunnels through tcp) but I will write about that later.

Thanks,

-Timothy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: endian-virt.xml
Type: text/xml
Size: 5516 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140925/5e4e061d/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: personal.xml
Type: text/xml
Size: 5034 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140925/5e4e061d/attachment-0001.xml>


More information about the virt mailing list