Bug 1268638
| Summary: | SELinux preventing qemu create access sock_file | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | poma <pomidorabelisima> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | berrange, crobinso, dominick.grift, dwalsh, jsynacek, lvrabec, mgrepl, plautrba, virt-maint |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-128.22.fc22 selinux-policy-3.13.1-128.28.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-10 17:57:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
linux doesn't allow binding a to a unix socket filesystem path if the file already exists. so qemu is forced to unlink the path first, and allow the bind(2) call to create it. this means libvirt can't stick an svirt label on the path. so my guess is the 'solution' here is to use a properly labelled root directory for the unix socket, but maybe it makes sense to allow /tmp to serve that purpose. that's up to the selinux guys though Whether they forgot about us?
SELinux is preventing /usr/bin/qemu-system-x86_64 from create access on the sock_file CharUNIX.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that qemu-system-x86_64 should be allowed create access on the CharUNIX sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:svirt_t:s0:c--,c--
Target Context system_u:object_r:tmp_t:s0
Target Objects CharUNIX [ sock_file ]
Source qemu-system-x86
Source Path /usr/bin/qemu-system-x86_64
Port <Unknown>
Host <Unknown>
Source RPM Packages qemu-system-x86-2.3.1-7.fc22.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name --
Platform Linux -- 4.2.6-200.fc22.x86_64 #1 SMP Tue
Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count 1
First Seen 2015-12-07 16:34:46 CET
Last Seen 2015-12-07 16:34:46 CET
Local ID --
Raw Audit Messages
type=AVC msg=audit(--.--:--): avc: denied { create } for pid=-- comm="qemu-system-x86" name="CharUNIX" scontext=system_u:system_r:svirt_t:s0:c--,c-- tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(--.--:--): arch=x86_64 syscall=bind success=no exit=EACCES a0=-- a1=-- a2=-- a3=-- items=0 ppid=1 pid=-- auid=-- uid=-- gid=-- euid=-- suid=-- fsuid=-- egid=-- sgid=-- fsgid=-- tty=(none) ses=-- comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c--,c-- key=(null)
Hash: qemu-system-x86,svirt_t,tmp_t,sock_file,create
Do you plan to fix this, if so, when? commit f373c53cfa7d5eabd5cfd0238ed5fa0a6325a588
Author: Lukas Vrabec <lvrabec>
Date: Mon Dec 7 18:03:27 2015 +0100
Allow virt_domain to create socket file in /tmp. BZ(1268638)
https://github.com/fedora-selinux/selinux-policy/commit/f373c53.patch Man, page needs refresh to show latest commitas. selinux-policy-3.13.1-128.22.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683 selinux-policy-3.13.1-128.22.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683 -chardev socket,id=charserial0,path=/tmp/CharUNIX,server,nowait \ -device isa-serial,chardev=charserial0,id=serial0 $ socat -d -d /tmp/CharUNIX -,raw,echo=0,escape=0x0f 2015/12/10 09:06:21 socat[9281] N opening connection to AF=1 "/tmp/CharUNIX" 2015/12/10 09:06:21 socat[9281] N successfully connected from local address AF=1 "\xEE\xEE\xEE\xEE\xEE\xEE" 2015/12/10 09:06:21 socat[9281] N successfully connected via <anon> 2015/12/10 09:06:21 socat[9281] N reading from and writing to stdio 2015/12/10 09:06:21 socat[9281] N starting data transfer loop with FDs [3,3] and [0,1] # works OK, thanks (In reply to Cole Robinson from comment #1) > linux doesn't allow binding a to a unix socket filesystem path if the file > already exists. so qemu is forced to unlink the path first, and allow the > bind(2) call to create it. this means libvirt can't stick an svirt label on > the path. > > so my guess is the 'solution' here is to use a properly labelled root > directory for the unix socket, but maybe it makes sense to allow /tmp to > serve that purpose. that's up to the selinux guys though Related was briefly discussed, some time ago in sd, "SELinux labels on unix sockets" http://lists.freedesktop.org/archives/systemd-devel/2015-March/029076.html But yeah, at least here, /tmp would do. This is solved, so why is still open? selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4 selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4 selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
virt-manager: 1. Add New Virtual Serial Device Type: Unix socket Path: /tmp/CharUNIX UNIX domain socket server, the character device acts as a UNIX domain socket server, accepting connections from local clients. domain.xml <serial type='unix'> <source mode='bind' path='/tmp/CharUNIX'/> <target port='0'/> </serial> <console type='unix'> <source mode='bind' path='/tmp/CharUNIX'/> <target type='serial' port='0'/> </console> 2. Run domain - debug: libvirtError: internal error: process exited while connecting to monitor: -- qemu-system-x86_64: -chardev socket,id=charserial0,path=/tmp/CharUNIX,server,nowait: Failed to bind socket to /tmp/CharUNIX: Permission denied SEalert: SELinux is preventing /usr/bin/qemu-system-x86_64 from create access on the sock_file CharUNIX. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-system-x86_64 should be allowed create access on the CharUNIX sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c--,c-- Target Context system_u:object_r:tmp_t:s0 Target Objects CharUNIX [ sock_file ] Source qemu-system-x86 Source Path /usr/bin/qemu-system-x86_64 Port <Unknown> Host -- Source RPM Packages qemu-system-x86-2.3.1-3.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.13.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name -- Platform Linux -- 4.1.7-200.fc22.x86_64 #1 SMP Mon Sep 14 20:19:24 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen -- Last Seen -- Local ID -- Raw Audit Messages type=AVC msg=audit(--.--:--): avc: denied { create } for pid=-- comm="qemu-system-x86" name="CharUNIX" scontext=system_u:system_r:svirt_t:s0:c--,c-- tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(--.--:--): arch=x86_64 syscall=bind success=no exit=EACCES a0=-- a1=-- a2=-- a3=-- items=0 ppid=1 pid=-- auid=-- uid=-- gid=-- euid=-- suid=-- fsuid=-- egid=-- sgid=-- fsgid=-- tty=(none) ses=-- comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c--,c-- key=(null) Hash: qemu-system-x86,svirt_t,tmp_t,sock_file,create