Bug ID | 988279 |
---|---|
Summary | qemu-bridge-helper not useable by non root user |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | x86-64 |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Virtualization:Tools |
Assignee | virt-bugs@suse.de |
Reporter | clark.boylan@gmail.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
When attempting to run virt-install as a non root user that is a member of the libvirt, kvm, and qemu groups the virt-install process fails to run qemu-bridge-helper. This appears to happen for two reasons: 1) apparmor is preventing this. 2) qemu-bridge-helper is not setuid. Command to reproduce: virt-install -n test-instance -r 2048 --os-type=linux --os-variant=ubuntu15.10 --disk /home/clark/virt/disks/xenial-server-cloudimg-amd64-disk1.img,device=disk,bus=virtio --disk /home/clark/virt/disks/init.iso,device=cdrom,bus=virtio -w bridge=br0,model=virtio --noautoconsole --import Log from audit.log: type=AVC msg=audit(1468123876.616:558): apparmor="DENIED" operation="exec" profile="/usr/sbin/libvirtd" name="/usr/lib/qemu-bridge-helper" pid=19746 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Error when apparmor prevents this: ERROR internal error: /usr/lib/qemu-bridge-helper --use-vnet --br=br0 --fd=22: failed to communicate with bridge helper: Transport endpoint is not connected stderr=libvirt: error : cannot execute binary /usr/lib/qemu-bridge-helper: Permission denied Error when not setuid: ERROR internal error: /usr/lib/qemu-bridge-helper --use-vnet --br=br0 --fd=22: failed to communicate with bridge helper: Transport endpoint is not connected stderr=failed to create tun device: Operation not permitted I managed to correct the apparmor issue by copy pasting the qemu-bridge-helper content from /etc/apparmor.d/abstractions/libvirt-qemu and appending it to the end of the profile in /etc/apparmor.d/usr.sbin.libvirtd. This prevented apparmor from denying my access but then I ran into the tun device issue. To correct the tun device issue I had to chmod 4755 /usr/lib/qemu-bridge-helper. With that done virt-install works as expected and starts the virtual machine on the specified bridge. I do not know if either of these steps is actually desirable from a security standpoint but I think that the ability to run virt-install and take advantage of qemu-bridge-helper is something that a non root user should be able to do.