Bug 1584011
| Summary: | vhost-vsock cannot be labeled by libvirt | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ján Tomko <jtomko> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.6 | CC: | fjin, hannsj_uhl, lvrabec, mgrepl, mmalik, plautrba, ssekidde, yafu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-203.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:04:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1291851 | ||
Fix from Fedora:
commit cbbf81af2e284b667d10052d76b4f1d9c183e82a
Author: Lukas Vrabec <lvrabec>
Date: Wed Apr 18 15:33:39 2018 +0200
Label /dev/vhost-vsock char device as vhost_device_t
*** Bug 1591105 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Description of problem: Libvirt's new vhost-vsock device support for QEMU does not work with SELinux. Version-Release number of selected component (if applicable): libvirt v4.4.0 (to be released in a week - tested by running 'make rpm' in libvirt git) selinux-policy-3.13.1-191.el7.noarch Steps to Reproduce: 1. Start a machine with a <vsock/> device with SELinux enforcing. Libvirt calls: open("/dev/vhost-vsock", O_RDWR) then gives the file descriptor to QEMU via O_CLOEXEC. Actual results: ***** Plugin catchall (6.38 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read write access on the vhost-vsock chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm # semodule -i my-qemukvm.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c605,c870 Target Context system_u:object_r:device_t:s0 Target Objects /dev/vhost-vsock [ chr_file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host <Unknown> Source RPM Packages qemu-kvm-rhev-2.9.0-1.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-191.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name winston Platform Linux winston 3.10.0-783.el7.x86_64 #1 SMP Tue Nov 14 06:28:36 EST 2017 x86_64 x86_64 Alert Count 1 First Seen 2018-05-21 16:53:56 CEST Last Seen 2018-05-21 16:53:56 CEST Local ID e14e2b20-9618-4afa-9282-0818d7136d9a Raw Audit Messages type=AVC msg=audit(1526914436.107:17377): avc: denied { read write } for pid=16200 comm="qemu-kvm" path="/dev/vhost-vsock" dev="devtmpfs" ino=583662 scontext=system_u:system_r:svirt_t:s0:c605,c870 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1526914436.107:17377): arch=x86_64 syscall=execve success=yes exit=0 a0=7fe9a0010bf0 a1=7fe9a0010160 a2=7fe9a001f3d0 a3=8 items=0 ppid=1 pid=16200 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c605,c870 key=(null) Hash: qemu-kvm,svirt_t,device_t,chr_file,read,write Expected results: No AVC denial. Additional info: Libvirt cannot use the per-domain label on the file descriptor, because the vhost-vsock device can be used by multiple domains.