Bug 1375462

Summary: VM can't be started if its name contains special word, denied by selinux policy
Product: Red Hat Enterprise Linux 7 Reporter: zhe peng <zpeng>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, rlocke, ssekidde, tlavigne, yafu, zpeng
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-99.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:38:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description zhe peng 2016-09-13 08:20:03 UTC 
Description of problem:
VM can't be started if it name containes like "reboot" "shutdown"

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-96.el7.noarch

How reproducible:
always

Steps to Reproduce:
1.# virsh start testrebootvm
error: Failed to start domain testrebootvm
error: SELinux policy denies access.

check libvirtd.log
2016-09-13 08:15:01.125+0000: 7967: info : virDBusCall:1558 : DBUS_METHOD_ERROR: 'org.freedesktop.machine1.Manager.CreateMachineWithNetwork' on '/org/freedesktop/machine1' at 'org.freedesktop.machine1' error org.freedesktop.DBus.Error.AccessDenied: SELinux policy denies access.
2016-09-13 08:15:01.125+0000: 7967: error : virSystemdCreateMachine:383 : SELinux policy denies access.

check audit.log
type=USER_AVC msg=audit(1473754630.102:1869): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/run/systemd/system/machine-qemu\x2d14\x2drhelreboot.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=ANOM_PROMISCUOUS msg=audit(1473754630.113:1870): dev=vnet1 prom=0 old_prom=256 auid=4294967295 uid=107 gid=107 ses=4294967295
type=SERVICE_START msg=audit(1473754630.136:1871): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1473754630.315:1872): pid=7961 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=start vm="rhelreboot" uuid=2a86fbb4-144c-4f88-be43-2818785e1287 old-disk="?" new-disk="/nfs-images/yafu/ovmf-q35-rel-eng-sec.qcow2" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=VIRT_RESOURCE msg=audit(1473754630.316:1873): pid=7961 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=net reason=start vm="rhelreboot" uuid=2a86fbb4-144c-4f88-be43-2818785e1287 old-net="?" new-net="52:54:00:a0:05:16" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'


Actual results:


Expected results:
the guest can be started.

Additional info:
seem a regression for selinux, i downgrade selinux to selinux-policy-3.13.1-71.el7 , the problem go away.
Comment 1 Milos Malik 2016-09-13 09:03:30 UTC 
Please collect all SELinux denials and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 2 zhe peng 2016-09-13 10:12:36 UTC 
It's a new machine with lastest rhel tree:
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
type=USER_AVC msg=audit(09/13/2016 18:10:07.514:22970) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/run/systemd/system/machine-qemu\x2d12\x2dtestrebootvm.scope cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/13/2016 18:10:40.887:22982) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/run/systemd/system/machine-qemu\x2d13\x2dtestrebootvm.scope cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
Comment 4 Milos Malik 2016-09-13 10:26:19 UTC 
# rpm -qa selinux-policy\*
selinux-policy-targeted-3.13.1-97.el7.noarch
selinux-policy-minimum-3.13.1-97.el7.noarch
selinux-policy-3.13.1-97.el7.noarch
selinux-policy-sandbox-3.13.1-97.el7.noarch
selinux-policy-devel-3.13.1-97.el7.noarch
selinux-policy-mls-3.13.1-97.el7.noarch
selinux-policy-doc-3.13.1-97.el7.noarch
# matchpathcon /run/systemd/system/machine-qemu\x2d12\x2dtestrebootvm.scope
/run/systemd/system/machine-qemux2d12x2dtestrebootvm.scope	system_u:object_r:power_unit_file_t:s0
#

If the "reboot" word disappears then the label is different:

# matchpathcon /run/systemd/system/machine-qemu\x2d12\x2dtestvm.scope
/run/systemd/system/machine-qemux2d12x2dtestvm.scope	system_u:object_r:systemd_unit_file_t:s0
# 

I guess that some of the SELinux policy patterns are too broad. Most likely these:

# semanage fcontext -l | grep -e '/usr/lib/systemd/system/\.'
/usr/lib/systemd/system/.*halt.*                   regular file       system_u:object_r:power_unit_file_t:s0 
/usr/lib/systemd/system/.*power.*                  regular file       system_u:object_r:power_unit_file_t:s0 
/usr/lib/systemd/system/.*sleep.*                  regular file       system_u:object_r:power_unit_file_t:s0 
/usr/lib/systemd/system/.*reboot.*                 regular file       system_u:object_r:power_unit_file_t:s0 
/usr/lib/systemd/system/.*suspend.*                regular file       system_u:object_r:power_unit_file_t:s0 
/usr/lib/systemd/system/.*shutdown.*               regular file       system_u:object_r:power_unit_file_t:s0 
/usr/lib/systemd/system/.*hibernate.*              regular file       system_u:object_r:power_unit_file_t:s0 
/usr/lib/systemd/system/.*xen.*\.service           regular file       system_u:object_r:virtd_unit_file_t:s0 
#
Comment 5 Milos Malik 2016-09-13 10:27:25 UTC 
Nice catch!
Comment 12 Lukas Vrabec 2016-09-22 11:21:18 UTC 
*** Bug 1378235 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2016-11-04 02:38:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html