Bug 1038933

Summary: Bind host content to containers /etc/passwd lead to systemd crash when selinux enforcing
Product: [Community] Virtualization Tools Reporter: Luwen Su <lsu>
Component: libvirt-sandboxAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: berrange, dyuan, gsun, mzhan, weizhan, zpeng
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-16 17:50:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
sos tar
none
coredump none

Description Luwen Su 2013-12-06 08:02:43 UTC 
Description of problem:
Bind host content to containers /etc/passwd lead to systemd crash when set selinux enforcing

Version-Release number of selected component (if applicable):
libvirt-1.1.1-13.el7.x86_64
libvirt-sandbox-0.5.0-7.el7.x86_64
systemd-207-8.el7.x86_64
3.10.0-59.el7.x86_64
glibc-2.17-38.el7.x86_64
glib2-2.36.3-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
#mkdir /container
#touch /container/test

#getenforce
Enforcing


2.
#virt-sandbox-service create --copy -N dhcp,mac='52:54:00:ec:b6:c2',source=default -m host-bind:/etc/passwd=/containers/test  --unitfile httpd.service test-crash

#virsh -c lxc:/// start test-crash
Domain test-crash started

# virsh -c lxc:/// list --all
 Id    Name                           State
----------------------------------------------------
 -     test-crash                     shut off

3.
#cat /var/log/message
Dec  6 15:05:18 localhost kernel: [ 1625.897385] libvirt-sandbox[5673]: segfault at 20 ip 00000034b80148ed sp 00007fffcbd47bb0 error 4 in libp11-kit.so.0.0.0[34b8000000+1e000]
Dec  6 15:05:18 localhost abrt[5676]: Saved core dump of pid 1 (/usr/lib/systemd/systemd) to /var/tmp/abrt/ccpp-2013-12-06-15:05:18-1 (2093056 bytes)

# pwd
/var/tmp/abrt/ccpp-2013-12-06-15:07:51-1


#gdb --core=coredump
Core was generated by `/usr/libexec/libvirt-sandbox-init-common'.
Program terminated with signal 11, Segmentation fault.
#0  expand_homedir (remainder=<optimized out>) at path.c:152
152                        return p11_path_build (pwd->pw_dir, remainder, NULL);
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib64/libgobject-2.0.so.0.3600.3-gdb.py", line 9, in <module>
    from gobject import register
  File "/usr/share/glib-2.0/gdb/gobject.py", line 3, in <module>
    import gdb.backtrace
ImportError: No module named backtrace

BTW , due to a glibcs bug Bug 972351 - No module named backtrace , seems like the core dump file can't be analyzed.


4.
#setroubleshoot: SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from read access on the file test. For complete SELinux messages. run sealert -l edfa8b4b-b5e4-42ae-a13c-d428f8496a41

SELinux is preventing /usr/libexec/libvirt-sandbox-init-common from read access on the file test.
...............cut long text about fcontext..............................
# sealert -l edfa8b4b-b5e4-42ae-a13c-d428f8496a41
# grep libvirt-sandbox /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0
Target Context                unconfined_u:object_refault_t:s0
Target Objects                test [ file ]
Source                        libvirt-sandbox
Source Path                   /usr/libexec/libvirt-sandbox-init-common
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           libvirt-sandbox-libs-0.5.0-7.el7.x86_64
Target RPM Packages          
Policy RPM                    selinux-policy-3.12.1-108.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.10.0-59.el7.x86_64
                              #1 SMP Thu Dec 5 00:33:07 EST 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-12-06 15:16:27 CST
Last Seen                     2013-12-06 15:16:27 CST
Local ID                      edfa8b4b-b5e4-42ae-a13c-d428f8496a41

Raw Audit Messages
type=AVC msg=audit(1386314187.211:167): avc:  denied  { read } for  pid=2284 comm="libvirt-sandbox" name="test" dev="sda1" ino=69743434 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=unconfined_u:object_refault_t:s0 tclass=file

type=SYSCALL msg=audit(1386314187.211:167): arch=x86_64 syscall=open success=no exit=EACCES a0=7fe17024537a a1=80000 a2=1b6 a3=7fffcb8229e0 items=0 ppid=0 pid=2284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=libvirt-sandbox exe=/usr/libexec/libvirt-sandbox-init-common subj=system_u:system_r:svirt_lxc_net_t:s0 key=(null)

Hash: libvirt-sandbox,svirt_lxc_net_t,default_t,file,read
Comment 1 Luwen Su 2013-12-06 08:11:46 UTC 
Created attachment 833466 [details]
sos tar
Comment 2 Luwen Su 2013-12-06 08:17:09 UTC 
Created attachment 833467 [details]
coredump
Comment 4 Luwen Su 2013-12-06 08:42:22 UTC 
The selinux do the right thing about forbid wirte the "test"  , since i don't change the selinux label for the file.But crash systemd is not expected anyway.
Comment 5 Alex Jia 2013-12-06 08:49:08 UTC 
(In reply to time.su from comment #0)
> 2.
> #virt-sandbox-service create --copy -N
> dhcp,mac='52:54:00:ec:b6:c2',source=default -m
> host-bind:/etc/passwd=/containers/test  --unitfile httpd.service test-crash

You should manually change selinux context of the /containers/test to "system_u:object_r:svirt_sandbox_file_t:s0" by yourself, otherwise, the following selinux issue is an expected result.

# chcon -u system_u -t svirt_sandbox_file_t -l s0 /containers/test
[root@localhost ~]# ll /containers/test -Z
-rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 /containers/test

But anyway, it may be a negative testing scenario.

> 
> #virsh -c lxc:/// start test-crash
> Domain test-crash started

So only question is libvirt should raise failed to start guest.


> #gdb --core=coredump
> Core was generated by `/usr/libexec/libvirt-sandbox-init-common'.
> Program terminated with signal 11, Segmentation fault.
> #0  expand_homedir (remainder=<optimized out>) at path.c:152
> 152                        return p11_path_build (pwd->pw_dir, remainder,
> NULL);
> Traceback (most recent call last):
>   File
> "/usr/share/gdb/auto-load/usr/lib64/libgobject-2.0.so.0.3600.3-gdb.py", line
> 9, in <module>
>     from gobject import register
>   File "/usr/share/glib-2.0/gdb/gobject.py", line 3, in <module>
>     import gdb.backtrace
> ImportError: No module named backtrace
> 

I think it should be not relevant with libvirt.
Comment 7 Daniel Berrangé 2020-04-16 17:50:47 UTC 
Closing old bug, since this is no longer actively maintained