Bug 1540702

Summary:	Starting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"
Product:	Red Hat Enterprise Linux 7	Reporter:	Jean-Tsung Hsiao <jhsiao>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	high
Version:	7.4	CC:	aconole, atragler, ctrautma, fleitner, jhsiao, kzhang, lvrabec, mgrepl, mmalik, plautrba, rcain, ssekidde
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-191.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-10 12:49:36 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jean-Tsung Hsiao 2018-01-31 19:48:35 UTC

Description of problem:Sta rting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"

type=AVC msg=audit(1517427472.598:17306): avc:  denied  { create } for  pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

This happened when Selinux is set to Enforcing. A workaround is set Selinux to Permissive.

Version-Release number of selected component (if applicable):
root@netqe10 vxlan-tunnel]# uname -a
Linux netqe10.knqe.lab.eng.bos.redhat.com 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@netqe10 vxlan-tunnel]# rpm -q openvswitch
openvswitch-2.7.3-3.git20180112.el7fdp.x86_64

[root@netqe10 vxlan-tunnel]# rpm -qa | grep -i selinux
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
openstack-selinux-0.8.13-1.el7ost.noarch
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-utils-2.5-11.el7.x86_64
container-selinux-2.41-1.git126c1c0.el7.noarch

How reproducible:Reproducible


Steps to Reproduce:
1. Config a OVS-dpdk bridge with dpdkvhostuserclient, and an NFV guest with vhostuser in server mode.
2. Start guest while Selinux=Enforcing.
3.

Actual results: Starting guest got this issue.


Expected results: Starting guest should be successful with Selinux=Enforcing.


Additional info:

Comment 2 Jean-Tsung Hsiao 2018-01-31 22:41:47 UTC

Got the same issue With OVS 2.9.0-0.3.20180124git26cdc33.el7fdp.x86_64 under 3.10.0-693.11.6.

Comment 3 Milos Malik 2018-02-01 08:24:27 UTC

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-186.el7.noarch
selinux-policy-3.13.1-186.el7.noarch
# sesearch -s svirt_t -t tmp_t -c sock_file -T

# sesearch -s svirt_t -t tmp_t -c sock_file -p create -A -C -D

#

Comment 5 Jean-Tsung Hsiao 2018-02-01 16:00:08 UTC

Got the same issue with openvswitch-2.9.0-0.1.20180108git8e3a28c.el7fdp under Rhel7.5 kernel-837.

Comment 12 Lukas Vrabec 2018-02-07 09:09:15 UTC

*** Bug 1542673 has been marked as a duplicate of this bug. ***

Comment 15 Milos Malik 2018-02-08 11:14:36 UTC

QEMU is able to create and manipulate the socket,

# sesearch -s svirt_t -t tmp_t -c sock_file -T
Found 1 semantic te rules:
   type_transition svirt_t tmp_t : sock_file svirt_tmp_t; 

# sesearch -s svirt_t -t svirt_tmp_t -c sock_file -A -C -D
Found 1 semantic av rules:
   allow virt_domain svirt_tmp_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

#

but Open vSwitch cannot access the socket as mentioned in comment#8:

# sesearch -s openvswitch_t -t svirt_tmp_t -A -C -D
Found 2 semantic av rules:
   allow openvswitch_t file_type : filesystem getattr ; 
   allow domain tmpfile : file { ioctl read getattr lock append open } ; 

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-189.el7.noarch
selinux-policy-devel-3.13.1-189.el7.noarch
selinux-policy-3.13.1-189.el7.noarch
#

Comment 16 Aaron Conole 2018-02-08 14:16:15 UTC

Milos,

The AVC:

type=AVC msg=audit(1517427472.598:17306): avc:  denied  { create } for  pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

This reads the source context = svirt_t

Did I misunderstand something?

Comment 17 Milos Malik 2018-02-08 14:36:07 UTC

qemu-kvm processes are labeled svirt_t, but Open vSwitch processes (ovsdb-server and ovs-vswitchd) are labeled openvswitch_t.

Comment 22 Milos Malik 2018-02-15 14:33:29 UTC

Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7) installed? Does it work?

Thank you

Comment 23 Jean-Tsung Hsiao 2018-02-16 03:50:49 UTC

(In reply to Milos Malik from comment #22)
> Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7)
> installed? Does it work?
> 
> Thank you

No, it won't work.

Got lots of AVC's like these until "setenforce 0" :

type=AVC msg=audit(1518752799.102:978): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752800.102:979): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752801.102:980): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752802.102:981): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752803.102:982): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752804.102:983): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file

Related packages:

[root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux
libselinux-2.5-12.el7.x86_64
selinux-policy-targeted-3.13.1-189.el7.noarch
libselinux-python-2.5-12.el7.x86_64
libselinux-utils-2.5-12.el7.x86_64
selinux-policy-3.13.1-189.el7.noarch
[root@netqe19 vhostuserclient-test]# rpm -q openvswitch
openvswitch-2.9.0-0.4.20180124git26cdc33.el7fdp.x86_64

Comment 24 Jean-Tsung Hsiao 2018-02-16 21:29:11 UTC

Hi Lukas,

Sorry, 190 does not fix the issue. See the following AVC's coming out until "setenforce 0".
Please see attached below.
Thanks!
Jean
==================================================
[root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux
libselinux-2.5-12.el7.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-targeted-3.13.1-190.el7.noarch
libselinux-utils-2.5-12.el7.x86_64
selinux-policy-3.13.1-190.el7.noarch

type=AVC msg=audit(1518816172.126:1318): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816173.126:1319): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816174.126:1320): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816175.126:1321): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816176.127:1322): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816177.127:1323): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket

Comment 25 Jean-Tsung Hsiao 2018-02-16 21:41:43 UTC

(In reply to Jean-Tsung Hsiao from comment #24)
> Hi Lukas,
> 
> Sorry, 190 does not fix the issue. See the following AVC's coming out until
> "setenforce 0".
> Please see attached below.
> Thanks!
> Jean
 

Please note that I have changed /etc/libvirt/qemu.conf to fix the other bug:

# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
#group = "root"
group = "hugetlbfs"

[root@netqe19 vhostuserclient-test]# !ll
ll /tmp/vhost*
srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:22 /tmp/vhost0
srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:23 /tmp/vhost1

Comment 32 errata-xmlrpc 2018-04-10 12:49:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763